Punchlist Security

This page describes the product-level controls and operational safeguards built into Punchlist today.

🔐 Data Encryption

HTTPS is required for production traffic
Credentials are never stored in client-side code
Passwords are stored as hashes, not plaintext
Account recovery uses expiring reset and verification tokens

🛡️ Access Control

Role-based permissions for owners, admins, and members
Company membership checks on protected workflows
Signed session tokens for authenticated requests
Device-aware session validation for mobile flows

🔍 Monitoring & Auditing

Audit history for key business events and status changes
Request logging for operational troubleshooting
Admin visibility for platform-level intervention where appropriate
Reviewable notification and billing events

🚫 Abuse Mitigation

Rate limiting on sensitive routes
CSRF protection for browser-submitted forms
Authorization checks before company-scoped actions
Validation on booking assignment and scheduling flows

🏢 Tenant Separation

Company-scoped data access across protected resources
Membership-aware company selection for web and API sessions
Checks that prevent cross-company reads and updates
Separate company subscriptions, members, and workflow records

👥 Data Privacy

Multi-tenant data isolation
Consent-aware analytics configuration
Account and company data export flows
Deletion and account-lifecycle controls
Privacy and terms pages published in-product

What We Publish Clearly

Account Recovery

Role Permissions

Audit Trails

CSRF Defences

Data Export & Deletion

We avoid publishing certifications, guarantees, or controls here unless they are actually implemented and supportable.

Security Practices

✅

Protected state changes: Sensitive browser actions require CSRF validation and authenticated sessions.

✅

Session controls: Login, logout, reset, switch-company, and booking flows all enforce request validation before action.

✅

Operational traceability: Audit history and workflow records make business changes easier to review.

✅

Permission boundaries: Team actions are restricted by role and company membership, not just client-side state.

✅

Account lifecycle controls: Users can request exports, deletion, and email verification or reset flows in-product.

✅

Continuous hardening: Security-sensitive controllers and middleware are reviewed and tightened as new edge cases are discovered.

Data Protection

Your business data is protected at every level:

Application layer: Authentication, authorization, CSRF protection, and company-scoped checks on protected routes
Workflow layer: Assignment and acceptance actions are validated against active memberships and role permissions
Account layer: Verification, reset, and logout flows prevent stale access from persisting silently
Privacy layer: Data export, deletion, and consent settings remain part of the product surface

Need more detail?

If you have procurement, security review, or privacy questions, use the contact page and include the specific controls you need clarified.

Get Started Free

Or contact the team for implementation questions

🔒 Security in Punchlist

🔐 Data Encryption

🛡️ Access Control

🔍 Monitoring & Auditing

🚫 Abuse Mitigation

🏢 Tenant Separation

👥 Data Privacy

What We Publish Clearly

Security Practices

Data Protection

Need more detail?

🍪 We use cookies

Cookie Preferences

Necessary Cookies

Analytics Cookies

Marketing Cookies