Encryption in transit
Every connection uses TLS 1.2+. Your data never crosses the open internet unencrypted, including PDF exports and Sully chats.
Security
Your safety records, locked down.
Incident reports, training records, and crew data are sensitive. Here's exactly how we protect them — and what we never do with them.
Encryption at rest
All customer data — incident reports, programs, training records, SDSs — is encrypted at rest in our managed Postgres database.
Row-level access control
Every database query is scoped to your company. We use Postgres row-level security policies so one company's data is never visible to another, even in case of a bug.
Modern authentication
Email + password with strong hashing, plus Google Sign-In. Passwords are never stored in plaintext. Session tokens are short-lived and rotated automatically.
US-based cloud infrastructure
We run on enterprise-grade managed infrastructure (Supabase + Cloudflare) in U.S. data centers with 99.9% uptime SLAs and automated daily backups.
Minimal data collection
We collect what's needed to run your safety program — nothing else. We don't sell your data, and we don't share it with third parties for advertising.
Data ownership
Your data is yours. You can export your written programs, incident logs, training records, and audit history as PDFs at any time. If you cancel your subscription, we retain your records in a read-only state for 90 days so you can export them, then we delete them permanently.
Want a copy of everything in one ZIP? Email support@getsafetysimple.com and we'll send it within one business day.
Reporting a vulnerability
If you've found a security issue, please email security@getsafetysimple.com. We'll acknowledge within one business day. We don't currently run a paid bug bounty, but we credit responsible disclosure.
Related