Security.

You're putting your customer list, your job calendar, and your invoices into Cashor. That's a lot of trust. Here's what we do to keep it safe.

Encryption

All traffic between your phone, your browser, and Cashor runs over TLS. The database that holds your account data is encrypted at rest with AES-256, managed by our cloud database host. Session cookies use the __Host- prefix, are marked HTTPS-only, and are scoped to cashor.app so they can't leak to other sites.

Authentication

You sign in with a one-time code we text to your phone, delivered through a US tier-1 carrier. We never store passwords, because we never use them. Sign-in attempts are rate-limited so nobody can brute-force their way into your account. After too many failed attempts, the line locks for a cooling-off window.

Authorization

Every API call is scoped by tenant. An operator can never see another operator's customers, jobs, quotes, or invoices, regardless of how the request is shaped. We test this in continuous integration on every change to the codebase. Reviews are required before any change to the data-access layer ships.

Webhooks

Inbound webhooks from our payment processor, SMS carrier, and email provider are signature-verified where the provider supports it, and basic-auth gated where it doesn't. Duplicate webhook deliveries are de-duplicated by event ID so a retried delivery never double-charges a customer or double-counts a payment.

Backups and recovery

Your account data is backed up daily with point-in-time recovery. Backups are encrypted at rest. We test restore from backup on a recurring schedule.

Logging and monitoring

We log access to sensitive endpoints, payment events, and admin actions. Logs are retained for a limited window and scrubbed of sensitive content (phone numbers, message bodies, customer names). An alerting system pages an engineer when error rates spike or a critical subsystem goes unhealthy.

Compliance posture

We're working toward SOC 2 Type 1. We follow industry-standard controls today and welcome customer security questionnaires. Email security@cashor.app and we'll send you what we have.

Vulnerability disclosure

If you find a security issue, please tell us at security@cashor.app. We commit to acknowledging your report within 72 hours, and we'll work in good faith with you on a fix and disclosure timeline. We don't run a paid bug bounty yet. We do credit reporters publicly when they want it.

What we don't do

• We don't collect or store customer credit card numbers. Our payment processor handles that, and your customer's card data never touches our servers.
• We don't store full bank account or routing numbers. Financial-connections tokenization handles that on our behalf.
• We don't sell your data, and we don't share it with advertising platforms.

Contact

Security issues: security@cashor.app. Privacy questions: privacy@cashor.app.