Security
Last updated: July 8, 2026
Crew Rivet is built by Avion LLC for trade contractors, and it holds the operational heart of your business — your customers, invoices, and payments. We take that seriously. This page describes the security measures in place today. We describe only what is actually implemented, and we are clear about what is on our roadmap rather than claiming certifications we do not hold.
Encryption
- In transit: All traffic to Crew Rivet is served over HTTPS/TLS with HSTS enabled, so browsers refuse to connect over plain HTTP.
- At rest: Sensitive integration credentials — the access tokens for connected QuickBooks, Xero, and Google Calendar accounts, and two-factor authentication secrets — are encrypted with AES-256-GCM before they are stored. Application secrets are stored encrypted (SOPS + age) and are only decrypted on the server at deploy time.
Payments
Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. Card entry and payouts happen on Stripe-hosted surfaces — Crew Rivet never sees, stores, or logs full card numbers or bank account details. Incoming payment webhooks from Stripe are cryptographically signature-verified and protected against replay before we act on them, and payment amounts are validated on our servers rather than trusted from the browser.
Access & tenant isolation
- Every account's data is isolated at the database layer so one business can never read another's jobs, invoices, or customers. This isolation is enforced by row-level security policies and verified by automated tests on every change.
- Team access is role-based — owners, managers, dispatchers, technicians, bookkeepers, and view-only roles each see only what their role permits.
- Passwords are hashed (never stored in plaintext); repeated failed logins trigger a temporary lockout; and resetting a password or logging out immediately invalidates existing sessions.
Backups
The database is backed up automatically every day. Before a backup leaves our server it is encrypted (age public-key encryption), and only the encrypted copy is uploaded offsite to an independent cloud provider (Backblaze B2) — so the offsite backup is unreadable without a private key we hold separately. Each backup is verified to decrypt before we trust it, and backup jobs alert us if a backup or its upload fails, so a silent gap can't go unnoticed. We are also building a scheduled, automated restore drill to continuously prove recoverability.
Data retention
We retain your data only as long as needed to provide the service and meet legal obligations. Specific retention periods (account data, message records, audit logs, and location data) are detailed in our Privacy Policy. You can request export or deletion of your data as described there.
Monitoring
We run error tracking, uptime and health checks, and an automated end-to-end synthetic check, with alerts routed to our operations team so issues are caught quickly.
What we don't claim
Crew Rivet is not currently SOC 2 or ISO 27001 certified, and we won't pretend otherwise. The measures above are real and in place; formal third-party certification is something we'll pursue as the business grows, and we'll update this page honestly when it changes.
Responsible disclosure
If you believe you've found a security vulnerability, please email security@crewrivet.com with reproduction steps. Please don't access or modify data that isn't yours. We welcome good-faith research that respects user privacy, and we'll acknowledge reports we receive.