Security practices

• Firebase Authentication handles user sign-in.
• Users are scoped by organization role and building access.
• Backend middleware and Firestore security rules enforce role-based permissions for task, member, building, photo, and organization data.
• Customer administrators are responsible for inviting, removing, deactivating, and scoping their users.

• TLS protects data in transit.
• Managed cloud providers provide encryption at rest for database and storage services.
• Direct client access to Cloud Storage is denied. Uploads and downloads use signed URLs minted by Cloud Functions.
• Request IDs, diagnostics, and structured error handling support investigation without exposing raw implementation details to users.
• Production secrets are managed in Firebase/Vercel/Stripe/Resend environments rather than committed to source control.

Tributary monitors application health through provider logs, deployment status, Cloud Functions logs, Firebase/Crashlytics signals, Stripe webhook status, and support diagnostics.

Confirmed security incidents affecting customer data are handled under the Privacy Policy and any signed DPA. The current counsel draft target is notice without undue delay and, when required, no later than [72 hours after confirmation].

Firestore scheduled backups are enabled for the production database. Backups run daily and are retained for up to [90 days]. Customer content export remains available during an active subscription and for a limited post-termination window.

• Use unique accounts for each person.
• Remove or deactivate users who no longer need access.
• Assign only the roles and building access each user needs.
• Do not submit prohibited regulated data unless a signed addendum permits it.
• Report suspected security issues promptly.

Security reports should go to support@doomotasks.com.