← Back to Home
Trust & Security
Last Updated: June 3, 2026
POG ERP is built and operated by a small US-based team. We take security seriously because your business depends on it. This page summarizes how we protect your data, who we share it with, and how to reach us with questions.
Where your data lives
Customer data is hosted in Oracle Cloud Infrastructure, US-East region (Ashburn, Virginia). Data does not leave the United States in normal operation. Static assets and DNS are served through Cloudflare's global edge network.
Encryption
- In transit: TLS 1.3 enforced for all customer connections (HTTPS only, HSTS enabled).
- At rest: Database volumes and backups are encrypted with AES-256. Sensitive application secrets use Fernet symmetric encryption.
Authentication & access
- Email + password authentication with bcrypt password hashing (industry-standard cost factor).
- TOTP-based two-factor authentication available for all accounts.
- Login identity is separated from company membership at the database level, so authentication data and tenant data are stored independently.
- Server-side session management with rotation on privilege changes.
- Role-based access controls inside the application.
- SSH access to the production server is key-based only; password authentication is disabled.
Sub-processors
POG ERP uses the following sub-processors to provide the Service. We notify customers of material changes to this list.
| Sub-Processor | Purpose | Location |
| Oracle Cloud | Infrastructure hosting, database, storage | United States |
| Cloudflare | CDN, DNS, edge security | Global |
| Stripe | Payment processing and billing | United States |
| Wisetack | Customer financing offers | United States |
| Twilio | SMS messaging (A2P 10DLC) | United States |
| Telnyx | Voice and SMS infrastructure | United States |
| Vonage | Voice messaging fallback | United States |
| Deepgram | Voicemail transcription | United States |
| Google (Gemini) | AI follow-up generation | United States |
| Groq | AI inference fallback | United States |
| Sentry | Error monitoring and alerting | United States |
| OpenStreetMap (Nominatim) | Address geocoding | Global |
| GitHub | Source control and deploy pipeline | United States |
Tenant data isolation
- Tenant data is isolated at the database layer, not only in application code. Row-level security policies enforce that each business can only access its own data.
- The application connects to the database with a least-privilege runtime role that cannot bypass tenant isolation, even if application code has a bug.
Backups & disaster recovery
- Automated daily database backups at 02:00 UTC, encrypted with AES-256 before transit.
- Off-site backup copies emailed daily.
- Point-in-time recovery via continuous WAL archiving (write-ahead logs shipped every ≤5 minutes), plus weekly physical base backups.
- Restore procedure is documented and tested. Restore drills are run periodically.
- Recovery Time Objective (RTO): 4 hours.
- Recovery Point Objective (RPO): ≤5 minutes (via point-in-time recovery).
Monitoring & reliability
- Sentry application error tracking with on-call alerts.
- Healthcheck cron runs every 5 minutes with auto-recovery on failure.
- External uptime monitoring with status alerts.
- Weekly SSL certificate expiry check.
- Maintenance mode for planned changes that require write downtime.
Outbound messaging safety
- Katch Leads is fail-closed by default: real outbound sends require explicit tenant enablement, consent checks, opt-out checks, and audit logging. Nothing sends without the tenant operator turning it on.
- Kill switch, per-recipient consent filtering, quiet-hours enforcement, and idempotency guards are enforced server-side on every outbound message.
Compliance
- TCPA — SMS consent, opt-out keywords (STOP/UNSUBSCRIBE/CANCEL/QUIT/END), quiet hours, and send-rate limits enforced server-side.
- CAN-SPAM — physical address and one-click unsubscribe on all marketing email.
- Maryland two-party consent — recorded voice calls disclose recording and obtain consent before retention.
- A2P 10DLC compliance controls enforced in code (approved-sender guard, STOP/HELP handling, quiet hours); brand and campaign registration in progress.
Application security
- Content Security Policy (CSP) with per-request nonces; no inline scripts.
- CSRF tokens on all state-changing requests.
- Rate limiting on authentication and public endpoints.
- Webhook signature validation for Stripe, Twilio, Telnyx, and other inbound webhooks.
- Parameterized SQL throughout the application (no string-built queries).
- Dependency vulnerability scanning (pip-audit) in CI on every change to the requirements lockfile.
Security policies
We maintain formal internal security policies covering access control, incident response, change management, vendor management, data retention, backup and disaster recovery, and security awareness. These policies are reviewed on a quarterly or semi-annual cadence and align with industry-standard control frameworks. We are working toward SOC 2 readiness.
Incident response
We follow a documented incident playbook. Confirmed security incidents affecting customer data are reported to affected customers without undue delay and within 72 hours of confirmation, in line with our Data Processing Agreement.
Reporting a vulnerability
If you believe you've found a security issue, please email management@potomacops.com with details. We'll acknowledge receipt within 2 business days. Please do not publicly disclose until we've had a chance to investigate and remediate.