Security & Trust
Your field service data is critical to your business. JobsiteOn is built with enterprise-grade security so you can focus on your customers, not your infrastructure.
Encryption
Data in Transit
All communication between your browser (or mobile device) and JobsiteOn servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on every endpoint and use HSTS headers to prevent protocol downgrade attacks.
Data at Rest
Customer data stored in our PostgreSQL databases is encrypted at rest using AES-256 encryption. Backups and file attachments are subject to the same encryption standard.
Authentication
JobsiteOn uses short-lived JSON Web Tokens (JWT) for session management. Tokens are stored in httpOnly, Secure, SameSite cookies to mitigate XSS and CSRF risks.
Multi-factor authentication (MFA) support is available for account owners and administrators. We recommend enabling MFA on all accounts with billing or administrative access.
Infrastructure
Our backend services are hosted on Railway with automatic scaling and zero-downtime deployments. Frontend applications are deployed on Vercel with a global edge network for fast page loads worldwide.
Production databases run on managed PostgreSQL with automated daily backups and point-in-time recovery. Backups are retained for 30 days.
Data Retention & Deletion
We retain your account and business data for the duration of your active subscription. If you cancel your account, your data is retained for 90 days to allow for reactivation, after which it is permanently deleted from our production systems.
You may request full data export or deletion at any time by contacting security@jobsiteon.com. We process deletion requests within 30 business days.
Compliance
SOC 2
JobsiteOn is actively working toward SOC 2 Type II certification. Our security controls are designed around the Trust Services Criteria for security, availability, and confidentiality.
GDPR
We follow GDPR-compliant data handling practices. Users can request access to, correction of, or deletion of their personal data. We maintain a record of processing activities and have appointed a data protection point of contact.
CCPA
California residents can exercise their rights under the California Consumer Privacy Act, including the right to know, delete, and opt out of the sale of personal information. JobsiteOn does not sell personal data.
Subprocessors
We work with a limited set of trusted subprocessors to deliver our service. Each subprocessor is evaluated for security posture and compliance before onboarding.
| Provider | Purpose | Data Processed |
|---|---|---|
| Stripe | Payment processing | Billing details, payment method tokens |
| SendGrid | Transactional email | Email addresses, notification content |
| Railway | Application hosting | Application data, database storage |
| Vercel | Frontend hosting & CDN | Static assets, edge-cached pages |
Incident Response
We maintain an incident response plan that covers detection, containment, eradication, and recovery. In the event of a confirmed data breach, affected customers are notified within 72 hours in accordance with GDPR requirements.
To report a security vulnerability or concern, contact us at security@jobsiteon.com. We acknowledge all reports within one business day.
Last updated: February 2026