Security

Last updated: April 25, 2026

Servelo is built for businesses that depend on it daily. Protecting your data, your customers' information, and your operations is a core part of what we do, not an afterthought. This page describes how we approach security.

Data Protection

🔒

Encryption in Transit

All communication between your browser or device and Servelo is encrypted using TLS. Unencrypted connections are not accepted.

🗄️

Encryption at Rest

Your data is encrypted at rest on all storage systems. Sensitive fields receive additional encryption above the storage layer.

🏢

Workspace Isolation

Every Servelo workspace runs in its own isolated environment. No customer can access another customer's data, by design.

☁️

Infrastructure

Servelo runs on enterprise-grade cloud infrastructure with redundancy, automated backups, and continuous availability monitoring.

Access Controls

Servelo enforces strict access controls at every layer:

Role-based permissions:Admins and technicians have distinct access levels. Admins control what each role can see and do within their workspace.
Multi-factor authentication:MFA is available for all user accounts and can be enforced org-wide by admins.
Session management:Sessions are bound to the issuing device. Signing out on one device does not affect others. Users can sign out all sessions from their account settings.
Credential security:Passwords are never stored in plaintext. We use industry-standard one-way hashing with per-user salts.

Payment Security

Servelo integrates with Square for payment processing. Card numbers, CVVs, and other sensitive payment details are entered directly into Square's PCI-DSS-certified payment forms and are never transmitted to or stored on Servelo's servers. Servelo never has access to raw card data.

Subscription billing is also handled through PCI-compliant processors. Only non-sensitive billing metadata (plan, renewal date, last-four digits) is stored by Servelo.

Application Security

Rate limiting:Authentication endpoints are protected against brute-force and credential-stuffing attacks.
Security headers:Servelo sets standard HTTP security headers on all responses, including content security policy, clickjacking protection, and MIME type enforcement.
File upload controls:Uploaded files are validated server-side for type and size. Disallowed file types are rejected before storage.
Dependency management:We regularly audit third-party dependencies and apply security patches promptly.

Backups and Recovery

Your data is backed up automatically on a regular schedule. Backups are encrypted and stored separately from primary systems. In the event of an incident, we maintain recovery procedures to restore service and data integrity.

Incident Response

We monitor our systems continuously for anomalies and security events. In the event of a confirmed data breach affecting your workspace, we will notify affected account owners as required by applicable law and as promptly as circumstances allow. We are committed to being transparent about incidents that affect your data.

Responsible Disclosure

If you believe you have found a security vulnerability in Servelo, we ask that you report it to us privately so we can investigate and address it before any public disclosure.

To report a vulnerability:

Email security@serveloapp.com with a description of the issue, steps to reproduce it, and the potential impact. Please do not access, modify, or delete other customers' data in the course of your research.

We will acknowledge your report within 3 business days and keep you informed as we work to resolve it. We appreciate responsible disclosure and will credit researchers who help us improve our security, if they wish.

Contact

Security questions and reports can be directed to security@serveloapp.com. General support inquiries should go to support@serveloapp.com.