Every byte between your phone, our servers, and our database is encrypted in flight. No exceptions.
Passwords are never stored in plain text. Reversible encryption is never used.
Every database query, every endpoint, every file read enforces org_id. Architectural, not configurable.
Our database provider (MongoDB Atlas) encrypts all persistent data with AES-256.
Cloudflare Turnstile blocks bot accounts at the door. Brute-force login lockouts protect existing users.
Automated point-in-time backups retained for 7 days, with manual snapshots before any breaking deploy.
Authentication
Fieldlink uses custom JWT-based authentication. Passwords are hashed with bcrypt (cost factor 12) before storage — they are never stored, transmitted, or logged in plain text. Failed login attempts are rate-limited per email and per IP to prevent brute force. Suspicious activity is logged to the login_history collection.
Account signup is protected by Cloudflare Turnstile, a privacy-respecting CAPTCHA alternative — it blocks bots without showing puzzles to your real users.
Multi-tenancy isolation
Every Fieldlink customer ("org") has a unique org_id. This ID is:
- Stamped onto every document in the database (jobs, timesheets, photos, quotes, invoices, etc.).
- Filtered into every backend query — there is no API endpoint that returns data across orgs.
- Indexed at the database level for sub-millisecond lookups, so the isolation has zero performance cost.
- Permission-checked on file downloads (you can't deep-link to another org's signature PNG).
This means even Fieldlink staff cannot cross-org browse — we don't have a UI that allows it. Support requests that require us to view your data are documented and require your explicit consent first.
Data at rest
We store all customer data with MongoDB Atlas, which encrypts data at rest using AES-256. Sensitive fields like bank account numbers, customer signatures and uploaded photos sit on top of that platform-level encryption.
Data in transit
Every connection — browser → API, API → database, API → email provider, API → AI provider — is TLS 1.2 or newer. HTTP requests to the API are rejected if not encrypted. Cloudflare sits in front of every request for DDoS mitigation.
Backups & disaster recovery
MongoDB Atlas runs automated continuous backups for the production database with 7-day point-in-time recovery. We additionally snapshot before any database schema migration. Our recovery target is < 4 hours from last good backup. Backups are encrypted with the same standard as live data.
AI features and your data
When you use an AI feature (Invoice Scanner, SSSP drafter, future Quote Drafter), the specific content you submit is sent to either Anthropic Claude or OpenAI via their commercial API. Neither provider trains models on API data — this is contractually guaranteed in their commercial API terms.
AI features are opt-in per action — nothing is sent to an AI provider unless you click the AI button.
If something goes wrong
If we discover a security incident that affects your data, we will:
- Contain it immediately and disable any compromised credentials.
- Notify affected account owners by email within 72 hours, with a plain-English explanation of what happened and what was exposed.
- Notify the Office of the NZ Privacy Commissioner as required by the Privacy Act 2020.
- Publish a post-mortem within 30 days describing what changed to prevent recurrence.
Found a vulnerability? Please report responsibly to security@fieldlink.co.nz. We respond within 1 business day.
Contact
Security questions or responsible disclosure: security@fieldlink.co.nz