Security

Protecting your workforce data, operational records, and client information is foundational to everything we build. This page describes how Attlock approaches security across infrastructure, application, and organizational layers.

Compliance and Assessments

For enterprise customers who require compliance documentation, security questionnaire responses, or a Data Processing Agreement, please contact support@attlock.com.

Infrastructure Security

Attlock runs on modern cloud infrastructure with security built into every layer:

• Cloud Hosting: Production systems run on enterprise-grade cloud providers with SOC 2 and ISO 27001 certifications. Primary infrastructure is hosted in North America.
• Network Security: All services operate within private networks with strict firewall rules, network segmentation, and intrusion detection systems. No public exposure of internal services.
• Availability: Multi-region architecture with automated failover, health monitoring, and real-time alerting. Target uptime of 99.9%. Monitor real-time status at status.attlock.com.
• Secrets Management: All credentials, API keys, and tokens are stored in dedicated secrets management systems with audit logging. No secrets in source code.
• CI/CD Security: Automated builds with dependency vulnerability scanning, static analysis, and signed deployments.

Encryption

Authentication and Access Control

• Authentication: User authentication is managed by an enterprise identity platform supporting email/password, SSO, social login, and multi-factor authentication (MFA).
• Role-Based Access Control (RBAC): Every user is assigned a role (Owner, Admin, Supervisor, Guard, Client) with granular permissions. Access to data and actions is enforced both in the UI and at the API layer.
• Multi-Tenant Isolation: All data is scoped by company. Every query, mutation, and action validates the user's identity and company association before any data is accessed or modified. Cross-tenant data access is architecturally prevented.
• Session Management: Sessions are time-limited with automatic expiration. Refresh tokens are rotated and revoked upon sign-out.
• Internal Access: Attlock employee access to production systems follows least-privilege principles. All access requires MFA and is audit-logged.

Application Security

• Input Validation: All external inputs are validated and sanitized at API boundaries before processing.
• OWASP Protection: The platform is built with protections against common web vulnerabilities including XSS, CSRF, SQL injection, and broken authentication patterns.
• API Security: All API endpoints require authentication. Rate limiting, request throttling, and abuse detection are enforced to prevent misuse.
• Dependency Scanning: Third-party dependencies are continuously monitored for known vulnerabilities with automated alerts and remediation workflows.
• Code Review: All code changes undergo review before deployment. Security-sensitive changes require additional sign-off.

Mobile Application Security

Attlock's mobile applications are built with security-first principles:

• Permission-Based Access: Location, camera, microphone, and storage permissions must be explicitly granted by the user. All permissions can be revoked at any time via device settings.
• Data on Device: No sensitive data is stored permanently on device. Captured media (photos, videos) is uploaded to encrypted storage and removed from local storage after upload.
• Sign-Out Enforcement: All background services (GPS tracking, push notifications) cease immediately upon sign-out. No data transmission occurs when the user is signed out.
• Secure Communication: All mobile API calls use HTTPS with certificate pinning where supported.

Third-Party Services

We use a limited number of vetted third-party service providers to deliver the platform. All providers are evaluated for security posture, bound by data processing agreements, and subject to periodic review.

Our providers fall into these categories:

• Cloud Infrastructure & Hosting: Enterprise-grade providers with SOC 2 and ISO 27001 certifications, hosted in North America.
• Authentication & Identity: Dedicated identity platform supporting SSO, MFA, and session management.
• Payment Processing: PCI DSS Level 1 certified payment processor. Attlock does not store credit card numbers.
• Communications: Transactional email delivery with minimal data exposure (email addresses only).
• Monitoring & Analytics: Error tracking and performance monitoring services that do not process customer business data.

Enterprise customers may request our full subprocessor list with processing details and data residency information by contacting support@attlock.com.

Organizational Security

• Security Training: All team members complete security awareness training covering data handling, phishing prevention, and incident reporting.
• Confidentiality: All employees and contractors sign confidentiality and non-disclosure agreements before accessing any systems or data.
• Least Privilege: Production access is restricted to personnel with a documented need. Access is reviewed periodically and revoked upon role change or departure.
• Vendor Management: Third-party providers are evaluated for security posture before onboarding and reviewed periodically. Providers processing customer data must sign DPAs.

Incident Response

Attlock maintains a documented incident response plan with defined severity levels, escalation paths, and notification procedures:

• Detection: Continuous monitoring with automated alerting for anomalous activity, unauthorized access attempts, and system failures.
• Response: Predefined runbooks for common incident types with clear ownership and escalation timelines.
• Notification: Affected customers are notified within timeframes required by applicable law (typically within 72 hours). Notifications include the nature of the incident, categories of data affected, and remediation steps.
• Post-Incident: Root cause analysis conducted for all incidents with documented corrective actions to prevent recurrence.

Data Retention and Deletion

• Customer data is retained for the duration of the active subscription and in accordance with the customer's documented retention instructions.
• Following termination of a Customer Agreement, all customer data is deleted or rendered inaccessible within 90 days. A data deletion confirmation is provided upon request.
• Backups are retained for a limited period for disaster recovery purposes and are encrypted at rest. Backup data follows the same deletion schedule.
• Aggregated, anonymized analytics data that cannot identify individuals may be retained beyond the subscription term.

Account Deletion

Account owners can request full account deletion by contacting support@attlock.com. Upon deletion:

• All user accounts and authentication records are removed.
• Customer data including reports, schedules, incidents, and uploaded files is permanently deleted within 30 days.
• Encrypted backups containing the deleted data are purged within 90 days.
• Billing records may be retained as required by applicable tax and financial regulations.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in any Attlock service:

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We do not pursue legal action against researchers who follow responsible disclosure practices.

Questions

For security-related questions, compliance documentation requests, or to report a concern: