How we protect your data

Every customer organization is a separate top-level tenant. Every database query is scoped to a single organization, and the data layer is built so that cross-tenant access is structurally impossible — not just policy-controlled.

Sessions, sub-accounts, and integrations all carry an organization context. We have never had a confirmed cross-tenant data exposure event. If we ever do, we will publish a transparent post-mortem within 30 days.

Passwords are hashed with bcrypt and never stored in plaintext. Sessions use signed, HTTP-only cookies and rotate on privilege changes. Failed-login attempts are throttled per-IP and per-account.

Two-factor authentication is supported for every user via TOTP (Google Authenticator, 1Password, Authy, etc.) with encrypted secrets and recovery codes. SSO via OIDC and SAML is on the enterprise roadmap.

Passkeys are available for users who prefer phishing-resistant authentication backed by WebAuthn.

Repzo ships four hierarchical default roles — Owner, Admin, Manager, User — with a comprehensive permission system underneath. Owners can create unlimited custom roles tailored to specific job functions (e.g. read-only auditor, sales manager, support agent).

Permissions are granular at the action level (e.g. leads.update_own, deals.delete) rather than module-level. This means you can grant a role permission to view leads but not delete them, or to edit only their own deals while reading all deals.

Beyond RBAC, Repzo enforces three data-visibility scopes per user, per module: "all" (sees everything in the org), "department" (sees own + child departments), and "own" (sees only records they own or are assigned to).

Visibility is enforced at the database query layer — not in the UI — so users cannot see hidden records by inspecting network requests or guessing IDs. Departments support hierarchical organization with drag-and-drop reorganization.

Data is encrypted in transit using TLS 1.2+ for every connection between clients, our application servers, and the database.

Data is encrypted at rest in the database using AES-256. Sensitive fields (2FA secrets, integration credentials, OAuth tokens) get an additional application-layer encryption with a separate key envelope, so even a compromised database snapshot does not expose those values in cleartext.

Every change to every entity is recorded in an immutable audit log: the user (or integration app), the entity, the action, before/after values, IP address, user agent, and timestamp.

The audit trail surfaces in the UI as a timeline on every record so admins can investigate "what changed and by whom" without writing SQL or filing a support ticket.

No core entity in Repzo is ever hard-deleted. "Delete" sets a deletedAt timestamp; every query automatically filters deleted records. Admins can audit and restore deleted records, and the audit trail captures both the deletion and any restoration.

This protects against accidental loss, ransomware, and rogue actors, and keeps a complete history available for compliance investigations.

Programmatic API access uses Bearer tokens in the format foxa-{orgShortId}-{secret}. Only the SHA-256 hash of the secret is stored — the plaintext is shown once at creation and never again.

Every token has Stripe-style per-resource scopes (leads:write, tickets:read, etc.) so you can issue narrowly-scoped tokens to integrations rather than granting broad access. API tokens are rate-limited, audited, and revocable from the developer apps settings.

We take daily encrypted backups of the database, retained for 30 days. Backups are tested regularly via point-in-time restoration drills.

In the event of a region-level outage, we have documented runbooks for promoting standby infrastructure. Our recovery point objective (RPO) is 24 hours; recovery time objective (RTO) is 4 hours.

If you discover a security issue in Repzo Workstation, please email info@repzo.com with details. We acknowledge reports within one business day and aim to provide a remediation timeline within five business days.

We do not currently run a paid bug bounty program but credit reporters in our security advisories with permission. Please give us reasonable time to remediate before public disclosure.