Security Commitments Overview

How JobsiteOn protects your data with encryption, infrastructure security, access controls, compliance practices, and incident response procedures.

Written by Maya ThompsonUpdated over a month ago8 min readBeginner

What this guide covers

This guide explains the security measures JobsiteOn uses to protect your data. You will learn about data encryption, infrastructure security, access controls, compliance certifications, incident response procedures, and privacy practices. Understanding these commitments helps you and your team make informed decisions about the data you store in the platform.

Before you begin

This article is informational. No configuration changes are required.
If you need to report a security concern, email security@jobsiteon.com immediately.
For questions about data privacy, see our Privacy Policy linked at the bottom of every page.

Data encryption

In transit

All data transmitted between your browser and JobsiteOn servers is encrypted using TLS 1.2 or higher. This applies to:

Web application traffic (the dashboard, schedule, contacts, etc.).
API calls from the mobile app.
Webhook payloads to and from integrations like QuickBooks.
Email delivery between JobsiteOn and email providers.

You can verify encryption by checking for the padlock icon in your browser's address bar when using JobsiteOn.

At rest

All data stored in JobsiteOn databases is encrypted at rest using AES-256 encryption. This includes:

Contact records, property details, and job data.
Invoice and payment information.
File attachments (photos, documents, logos).
Backup copies of your data.

Encryption keys are managed through a dedicated key management service with automatic rotation.

Sensitive fields

Certain fields receive additional encryption beyond the database-level encryption:

Payment card tokens (stored by our payment processor, not directly by JobsiteOn).
Integration credentials (OAuth tokens for QuickBooks and other connected services).
Password hashes (using bcrypt with a high work factor).

Infrastructure security

Hosting

JobsiteOn runs on enterprise-grade cloud infrastructure with:

Geographic redundancy -- data is replicated across multiple availability zones for high availability.
Automatic failover -- if one zone experiences an outage, traffic routes to a healthy zone automatically.
DDoS protection -- network-level protection against distributed denial-of-service attacks.

Network isolation

Application servers, databases, and cache layers run in private network segments that are not directly accessible from the internet.
Only the load balancer and CDN edge nodes are exposed to public traffic.
Internal service-to-service communication uses encrypted channels.

Patch management

Operating system and dependency patches are applied within defined SLA windows based on severity.
Critical security patches are deployed within 24 hours of disclosure.
Non-critical patches are deployed within the next maintenance window.

Access controls

For your team

JobsiteOn's role-based access control system ensures each team member sees only what they need:

Owner -- full access to all workspace data and settings.
Admin -- full operational access without billing controls.
Dispatcher -- scheduling, contacts, and job management without settings access.
Technician -- access limited to assigned jobs and related contacts.

See Set Up Roles and Permissions for detailed permission tables.

For JobsiteOn staff

No JobsiteOn employee can access your workspace data without explicit authorization from you (e.g., during a support request).
All internal access is logged and auditable.
Employee access follows the principle of least privilege.
Production database access requires multi-party approval and is time- limited.

Authentication

Passwords are hashed with bcrypt and never stored in plaintext.
Session tokens use secure, httpOnly cookies with strict SameSite attributes.
Sessions expire after a configurable period of inactivity.

Compliance

Standards and frameworks

JobsiteOn aligns its security program with industry standards:

SOC 2 Type II -- controls for security, availability, and confidentiality are independently audited.
GDPR -- data processing practices comply with the General Data Protection Regulation for any European users or data subjects.
CCPA -- California Consumer Privacy Act compliance for California residents.

Data residency

All production data is stored in data centers located in the United States. If data residency requirements change, we will notify customers in advance.

Vendor security

Third-party services used by JobsiteOn (cloud hosting, email delivery, payment processing) are evaluated for security before integration and monitored on an ongoing basis. Each vendor must meet minimum security standards comparable to our own.

Incident response

How we handle security incidents

JobsiteOn maintains a documented incident response plan with the following phases:

Detection -- automated monitoring, alerting, and anomaly detection identify potential incidents in real time.
Triage -- the on-call security team assesses severity and scope within 30 minutes of detection.
Containment -- affected systems are isolated to prevent further impact.
Eradication -- the root cause is identified and eliminated.
Recovery -- affected systems are restored and verified.
Communication -- affected customers are notified within 72 hours of confirmed incidents, or sooner when required by regulation.
Post-mortem -- every incident results in a written analysis and action items to prevent recurrence.

Reporting a security concern

If you discover a potential vulnerability or security issue:

Email security@jobsiteon.com with as much detail as possible.
Include the steps to reproduce the issue if applicable.
Do not share the vulnerability publicly until it has been resolved.
We acknowledge receipt within one business day and provide a timeline for resolution.

Privacy practices

Data you own

Your workspace data (contacts, properties, jobs, invoices, files) belongs to you. JobsiteOn does not sell, share, or use your data for advertising or training purposes.

Data we collect

JobsiteOn collects limited operational data to run the service:

Account information -- name, email, password hash.
Usage analytics -- page views, feature usage, and error tracking to improve the product. This data is aggregated and anonymized.
Server logs -- IP addresses, request timestamps, and user agent strings for security monitoring.

Data retention

Active workspace data is retained as long as your subscription is active.
After a subscription ends, data is retained for 90 days before permanent deletion.
You can request early deletion by contacting support.
Backups are retained for 30 days after deletion for disaster recovery, then permanently destroyed.

Data export

You can export all of your workspace data at any time from /settings > Workspace > Data. The export includes contacts, properties, jobs, quotes, invoices, and file attachments in standard formats (CSV and JSON).

JobsiteOn uses strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies. Analytics cookies are opt-in where required by local regulation.

Status and uptime

Status page

Check the current system status and historical uptime at our public status page. The status page shows:

Current operational status of all major services.
Scheduled maintenance windows.
Historical incident reports.

Uptime commitment

JobsiteOn targets 99.9% uptime for the production environment. Scheduled maintenance is performed during low-traffic hours with advance notice.

Best practices for your team

Use strong, unique passwords. Avoid reusing passwords from other services.
Review team roles regularly. Remove members who no longer need access and audit role assignments quarterly.
Be cautious with integrations. Only connect services you actively use. Disconnect integrations you no longer need.
Report suspicious activity. If you notice unexpected changes to your workspace or receive a suspicious email claiming to be from JobsiteOn, contact support immediately.
Export data periodically. Regular exports give you a backup independent of the JobsiteOn platform.

Troubleshooting

I received a suspicious email claiming to be from JobsiteOn

Check the sender address. Legitimate emails come from @jobsiteon.com domains only. If the email looks suspicious, do not click any links. Forward it to security@jobsiteon.com for investigation.

I think my account has been compromised

Change your password immediately from /settings > Account > Password.
Review recent activity in your workspace for unauthorized changes.
Contact support@jobsiteon.com to report the incident and request a security review.

I need a copy of the SOC 2 report

Contact trust@jobsiteon.com with your company name and a brief description of why you need the report. We share SOC 2 reports under NDA with customers and prospective customers.

FAQ

Does JobsiteOn have access to my payment card numbers?

No. Payment card processing is handled by our PCI-compliant payment processor. JobsiteOn never stores, processes, or transmits raw card numbers.

Can I enable two-factor authentication?

Two-factor authentication is planned for a future release. For now, use a strong, unique password and enable browser-based password manager autofill.

Where is my data stored?

All production data is stored in data centers in the United States.

Can I delete my account and all data?

Yes. Contact support to request complete account and data deletion. The process takes up to 30 days to complete.

How do I stay informed about security updates?

Follow the public status page and subscribe to email notifications for security advisories.

Did this answer your question?