How we protect
your business.

CircleLogix runs on managed cloud infrastructure (Vercel for edge + a managed Postgres database) in the United States. All provider-level certifications (SOC 2, ISO 27001) apply at the infrastructure layer.

Traffic to circlelogix.com and the product apps is HTTPS-only with TLS 1.2+. HSTS is enabled at the edge.

In transit: TLS 1.2+ for every connection.

At rest: Database encryption (AES-256) is enabled by our managed database provider. Object storage and backups are encrypted at rest.

Inside the product, we use a 7-role permission system (Owner, Manager, Service Writer, Tech, Parts, Accounting, Read-only) with server-side enforcement on every mutation. Every action is audit-logged with the user, the change, and a timestamp.

On our side, production access is limited to CircleLogix operators who need it, with 2FA required and access reviewed regularly.

Daily encrypted backups of the production database, retained for 30 days. Point-in-time recovery for the most recent 7 days. We test restores regularly.

See the privacy policy for the full list of sub-processors. Each is reviewed for appropriate certifications and data-handling practices before we connect them.

Found something? Email security@circlelogix.com. We'll acknowledge within one business day. We don't have a bounty program yet, but we'll publicly credit reporters who follow responsible disclosure.

Please don't:attempt access to data that isn't yours; publicly disclose before we've had a chance to patch; or run automated scans that degrade service.

In the event of a security incident that affects customer data, we'll notify affected customers within 72 hours of confirming the incident. We'll publish a post-mortem on our status page once the investigation closes.

We're a small team and we're early. This page describes our intended controls. SOC 2 and ISO 27001 certifications are on our roadmap as we scale. Until then, we'll answer any security questionnaire directly — call us or email security@circlelogix.com.