PrimeBase/Trust & Security

Trust & Security

Your business, defended like
it's our own.

Encryption in transit and at rest, strict workspace isolation, role-based access for your team, and a real human on the other end of support@primebase.io. The boring stuff, done right.

See how it works Email security

TLS 1.3 in transitAES-256 at restWorkspace-isolated · row-level security

Commitments Architecture Audit trail Hosting Incident response Customer controls FAQ

Our four commitments

The promises we put in writing.

Encrypted everywhere

TLS 1.3 in transit. AES-256 at rest on Google Cloud Platform with envelope encryption managed by the cloud provider.

Workspace isolation

Every record carries a workspace ID, enforced by Postgres row-level security on every read and write.

Role-based access

Granular roles, custom permissions, and access rules on Business+. Your admins set who can see and do what.

Honest about incidents

If a security incident affects your data, we tell you — directly, by email, with what happened and what to do.

Architecture

Five layers of defense, one source of truth.

Defense-in-depth, designed so a failure at any single layer doesn't compromise the whole. Here's what each layer looks like in production today.

Transport

L1 / 5

TLS 1.3 with modern cipher suites.

HTTPS-only across the product, the API, the portal, and every public form.

TLS 1.0 / 1.1 disabled. HSTS sent on responses to discourage downgrade.

Application

L2 / 5

Workspace isolation enforced at the database.

Every record carries a tenant ID. Postgres row-level security policies block cross-tenant reads and writes.

Every API endpoint declares the permission it requires; calls without the right permission are rejected before they reach business logic.

Public-facing forms are protected by a CAPTCHA challenge and a honeypot trap to block automated submissions.

Standard security headers (CSP, X-Frame-Options, SameSite cookies). Code reviewed before merge.

Data layer

L3 / 5

AES-256 at rest, plus application-layer encryption for sensitive fields.

Database, storage, and backups are encrypted at rest by Google Cloud Platform.

Sensitive identifiers and authentication tokens are additionally encrypted at the application layer with AES-256-GCM before they hit the database.

Access codes on shared links are stored as one-way hashes with brute-force lockout after repeated failed attempts.

Daily encrypted backups with point-in-time recovery configured at the database layer.

Identity

L4 / 5

Email + password, with passwordless OTP.

Passwords hashed with industry-standard algorithms. Passwordless email OTP supported.

Custom roles & permissions on Business+ — restrict who can see and do what inside the workspace.

Access rules let admins scope users to their own records, assigned records, or specific tags per module.

Operations

L5 / 5

A small team, careful defaults.

Production access limited to a small number of engineers. Database access is logged by the platform.

Application secrets stored in Google Cloud Secret Manager with IAM-scoped access — no credentials in code, no shared logins.

Daily encrypted backups handled by Google Cloud Platform. Restore procedures tested when changes warrant it.

We aim to respond to security reports sent to support@primebase.io within one business day.

Visibility

A per-record audit trail.

Every record in PrimeBase carries who created it, who last updated it, and when — across CRM, projects, accounting, documents, and inventory. Customer-facing activity (visits, calls, notes, route stops) flows into a dedicated activity feed for sales and field work.

Created-by and updated-by tracked on every record across modules

Customer activity feed for visits, calls, notes, and route stops

Workspace-scoped — activity is isolated to your tenant by row-level security

CSV export of customers and inventory batches is self-serve for admins

app.primebase.io/crm/activity

Activity feed

Streaming · last 24h

14:02:11sarah.lee@northwind.studio created customer · Acme Corp

14:01:54maya.chen@northwind.studio exported customers · CSV

14:01:32maya.chen@northwind.studio updated deal · Acme Q4 → Won

14:00:48sarah.lee@northwind.studio created invoice INV-0218 from estimate EST-047

14:00:22tom@acme.co logged visit · Riverside HVAC · 12:14 PM

13:59:51sarah.lee@northwind.studio sent contract SOW-042 to client

13:58:30tom@acme.co completed route stop · 14 Elm St

13:57:12maya.chen@northwind.studio added note · Johnson tune-up follow-up

Hosting

Where your data lives.

PrimeBase is hosted on Google Cloud Platform in the United States. Your workspace data is encrypted at rest, backed up daily, and isolated from every other customer by row-level security.

Cloud provider

Google Cloud Platform

Compute, storage, and managed Postgres run on GCP in the United States.

Data protection

AES-256 + RLS

Encryption at rest on every layer; Postgres row-level security enforces workspace isolation.

Have a hosting question?

Email support@primebase.io and a real engineer will answer — backup details, retention, or anything else your security team needs to know.

Incident response

If something goes wrong.

A real engineer reads support@primebase.io. If a security incident affects your workspace, we tell you directly — what happened, what to check on your side, and what we're doing to fix it.

Detect

Platform alerts and customer reports surface anomalies to our engineering team.

Investigate

On receipt, an engineer triages scope: which workspaces, which data, what the suspected cause is.

Contain

If confirmed, affected services are isolated and suspect sessions or credentials are revoked.

Notify

If your workspace data is impacted, we email your admin(s) directly — what happened, what to check, what we're doing.

Fix & learn

Root cause fixed in production. We write up what changed and what to watch for, and share it with affected customers.

Responsible disclosure

Found a vulnerability? Email us directly. Researchers acting in good faith are welcome — we'll acknowledge your finding, work with you on the fix, and credit you publicly if you'd like.

support@primebase.io

Customer controls

The keys are yours.

Most “security” pages list what the vendor does. Here's what you get to do, the moment you sign up — without paying for a top-tier plan.

Custom roles & permissions

Build custom roles on Business+. Grant per-module, per-action access — restrict who can see and do what in your workspace.

Access rules

Scope users (or roles) to their own records, assigned records, or specific tags — per module. Set by your admins.

Passwordless OTP login

Sign in with a one-time code sent to email — no shared password to phish. Password-based login is also available for users who prefer it.

Self-serve CSV exports

Admins can export customers and inventory batches as CSV without a support ticket. More entities are on the roadmap.

Workspace data isolation

Every record carries a workspace ID. Postgres row-level security blocks cross-tenant access at the database layer.

Account closure

Workspace admins can close their workspace from Settings. Data deletion completes within 30 days; we confirm by email.

Common questions

The questions security teams actually ask.

No. Customer content in your workspace is not used to train PrimeBase models or models from any third-party AI provider. We only use AI providers in passthrough mode for product features you opt into.

Got more to ask

Talk to a real human, not a portal.

Send your security questionnaire or ask anything about how we handle your data. A real engineer reads support@primebase.io — no sales rep in the middle.

Email security

Email us anything