Security & Data Privacy

Built to protect your business — and your customers' data

DetailFlowPro is a multi-tenant platform serving hundreds of independent detailing businesses. That means the security of one business's data must be completely independent from every other. Here's exactly how we achieve that.

This page describes our actual technical architecture. We only claim what we have implemented and can verify — no certifications are claimed that we have not earned.

Tenant isolation — your data is yours alone

Every DetailFlowPro account is a separate tenant. Your customers, bookings, staff, and business data are isolated from every other business on the platform.

This isolation is enforced at the database layer using PostgreSQL Row Level Security (RLS) policies on every table. Even if an application bug existed, the database itself would block any cross-tenant data access.

There is no shared customer pool, no shared booking calendar, and no shared analytics — each business sees only its own data.

Zero-trust API design — we never trust the client

Our API routes never accept sensitive values from the request body. Your business ID, your user role, and your subscription tier are always derived from your authenticated server-side session — not from anything your browser sends us.

This means a forged or tampered API request cannot impersonate another business, escalate privileges, or access data it shouldn't. Every sensitive operation is gated server-side against your verified session.

All input is validated on the server before any database operation. We do not trust frontend values for business logic — ever.

Payment security — Stripe handles every card

DetailFlowPro never receives, stores, or transmits full payment card numbers. All card data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.

When a customer pays for a booking, they enter their card details directly into Stripe's secure payment interface. We receive a tokenized payment confirmation — not the card number itself.

Stripe Connect is used for payouts to detailing businesses. This means your customers' card data is protected by Stripe's infrastructure, not ours.

Encryption in transit and at rest

All data transmitted between your browser, our servers, and our database is encrypted in transit using TLS 1.2 or higher. This is enforced by Vercel (our hosting provider) and Supabase (our database provider) on every request.

Data stored in our database is encrypted at rest. Supabase uses AES-256 encryption for stored data, which means your data is protected even in the unlikely event of physical storage compromise.

Passwords are stored as cryptographic hashes only — we never store plaintext passwords and cannot recover them.

Access controls — keys never leave the server

Our service role key — which has elevated database access — is never sent to the browser. It is only accessible inside server-side API routes, which means it cannot be extracted by a user inspecting network traffic or client-side code.

Authentication is handled by Supabase Auth. Sessions are cryptographically signed and expire automatically. Session tokens cannot be replayed after expiry.

Staff accounts on your business have role-based access controls: staff members can access only the features appropriate to their role, and cannot access billing, account settings, or other businesses' data.

What we don't claim (yet)

We believe in transparency. The following are common security certifications that some SaaS platforms hold. We do not currently hold these, and we won't claim them until we do:

  • SOC 2 Type II — not yet certified; on our roadmap as we scale
  • ISO 27001 — not certified
  • Third-party penetration test — not yet completed; planned

Security questions?

If you have a specific security question before signing up, or you've found a potential vulnerability, please reach out directly.

support@dalitek.us
Start your free trial

14-day free trial · No credit card required

Security & Data Privacy | DetailFlowPro | DetailFlowPro