Security at CraneOp

Data Security

All CraneOp data is stored in Supabase PostgreSQL with row-level security enabled on every table. No table exists in the CraneOp schema without an active RLS policy. Data is isolated per tenant at the database level, not just the application level.

Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. This applies to all production data including field tickets, operator records, compliance logs, and financial records.

Database views are defined with security_invoker = true to prevent RLS bypass through view definitions.

Access Controls

CraneOp uses role-based access control with five defined roles: HQ Admin, Company Admin, Dispatcher, Operator, and GC Portal user. Each role has a scoped permission set enforced at the database level via RLS policies, not only through application-layer checks.

Multi-factor authentication is available on all admin routes. Authorization decisions use app_metadata from Supabase Auth. User-editable user_metadata is never used for authorization decisions.

The service role key is never exposed to the browser or client-side code. Server-side auth checks use getUser() rather than getSession() to prevent client JWT forgery.

Infrastructure

CraneOp runs on Supabase Cloud with US-based data residency. Supabase provides automatic daily backups with point-in-time recovery. Edge Functions run in Deno isolates on the Supabase platform.

Rate limiting is enforced on all public endpoints, including auth routes, payment flows, and webhook receivers. Payment flows include device fingerprinting and 3D Secure enforcement via Stripe.

SOC 2 Certification

CraneOp is in the process of achieving SOC 2 Type II certification. Certification is planned for 2026. If your organization requires a SOC 2 report before that date, contact us at security@craneop.net to discuss your requirements.

Incident Response

CraneOp maintains an incident response plan covering detection, containment, eradication, and recovery phases. In the event of a confirmed security breach affecting customer data, affected customers will be notified within 48 hours of confirmation.

Notifications will include the nature of the incident, data categories affected, estimated scope, steps taken to contain the breach, and recommended actions for affected users.

Vulnerability Disclosure

If you discover a security vulnerability in CraneOp, please report it to security@craneop.net. Include a description of the vulnerability and reproduction steps. Do not include live customer data in your report.

We follow a 90-day coordinated disclosure policy. We will acknowledge your report within 3 business days, provide an estimated remediation timeline within 10 business days, and notify you when the issue is resolved. We do not currently offer a bug bounty program but may do so in the future.