SB Assistant
Sign in Start free
Security

Your data, isolated from every other tenant.

Tenant isolation at the database level, encryption in transit and at rest, US-hosted, continuous backups with point-in-time restore, audit log on every meaningful change.

Start free Contact us
The basics

What every tenant gets.

Tenant isolation

Every document carries a TenantId. Every query is scoped to it. Even SuperAdmin tools require explicit tenant selection — there is no app code path that returns cross-tenant data.

Encryption

TLS 1.2+ on every connection. Data at rest is encrypted by Azure Cosmos DB using service-managed keys.

US hosting

Your tenant data is stored on Azure in US regions. For EU/UK customers, transfers to the US are covered by the EU‑US Data Privacy Framework and Standard Contractual Clauses.

Backups

Continuous backup via Cosmos DB's built-in PITR. We can restore your tenant's data to any point in the last 30 days.

Role-based access

Five roles (SuperAdmin, CompanyAdmin, Manager, Employee, Client) with policy-enforced authorization on every page and API endpoint.

Audit log

Every state-changing event is captured with actor, timestamp, entity, action. Per-tenant. Retained for the life of your tenant.

The honest version

What we have, what we don't have yet.

What we have today

  • Tenant isolation enforced at the data layer (every repository method takes a TenantId — there is no method that doesn't)
  • Azure Cosmos DB with TLS-only connections; Microsoft-managed encryption at rest
  • Sign-in delegated to our identity provider (WorkOS) — we store no passwords; it enforces password policy, MFA, and breached-password checks
  • Audit log of every meaningful state change, per tenant
  • Data retention & deletion: a cancelled account's data is purged after the retention window — invoices are anonymized where tax law requires the record be kept
  • Data-subject access & erasure: we can export or delete a person's data on request
  • A defined breach-response process with a 72-hour authority-notification clock
  • Hosted in US Azure regions; sub-processors are Azure (hosting), WorkOS (sign-in), Stripe (payments), Azure Communication Services (email), Application Insights (diagnostics), and Google Fonts (web-font delivery)

What's roadmap (transparent: not yet)

  • SOC 2 Type II report — under evaluation, likely 2027
  • Customer-managed encryption keys (BYOK) — Q4 2026
  • SSO via SAML / OIDC — when we hit our first customer that asks for it
  • HIPAA / FedRAMP — not on the roadmap; we're not the right fit if you need either

Reporting a vulnerability: email security@sbassistant.com. We respond to legitimate security reports within one business day.

Questions about security?

If your due-diligence checklist needs more than this page, get in touch — we'll answer specifics.

Contact us Start free