Built for HVAC, plumbing, electrical, and recurring service teams.

Open betaUnlimited users. Pricing from $200/month.

Built for HVAC, plumbing, electrical, and recurring service teams.

Open betaUnlimited users. Pricing from $200/month.

Security & trust

Protecting your business is our highest priority

Thorbis was designed with security at its core. From encrypted data storage to rigorous compliance programs, we protect sensitive information for contractors of every size.

Request our security packet View uptime status

Security pillars

Enterprise-grade infrastructure

Thorbis is hosted on Supabase (PostgreSQL) with Vercel Edge Network, regional redundancy, automated backups, and 99.9%+ uptime. Data is isolated and encrypted at every layer.

Secure development lifecycle

All code changes undergo peer review, automated testing, and static analysis. Secrets management, least privilege access, and dependency scanning are mandatory.

Compliance alignment

Thorbis aligns with SOC 2 Type II controls, GDPR, CCPA, and TCPA requirements. We maintain DPA agreements, subprocessors lists, and annual penetration tests.

Customer data ownership

You control your data. We provide full export capabilities, configurable data retention policies, and prompt deletion upon account cancellation.

Infrastructure

Thorbis runs on Supabase PostgreSQL and Vercel Edge Network — battle-tested managed infrastructure that handles security patching, redundancy, and compliance certifications so we can focus on the application layer.

Supabase (PostgreSQL)

Row-Level Security (RLS) enabled on every table — tenant isolation enforced at the database engine, not just the application layer
Connection pooling via pgBouncer keeps connection counts manageable under high concurrency
WAL-based point-in-time recovery (PITR) — restore your data to any second within the retention window
Automated daily backups with 30-day retention, stored in a separate AWS region

Vercel Edge Network

TLS 1.3 enforced on all connections — TLS 1.0 and 1.1 are disabled globally
Automatic HTTPS with managed certificate rotation, no manual renewal required
Anycast DDoS protection at the network edge absorbs volumetric attacks before they reach application servers
HTTP Strict Transport Security (HSTS) with a one-year max-age preloads your domain in browsers

Encryption

AES-256 encryption at rest for all database volumes and file storage
TLS 1.3 in transit for every request between clients, edge nodes, and origin servers
AWS S3 for file and photo storage — buckets are private by default, access granted only via signed short-lived URLs
Encryption keys managed by AWS KMS with automatic annual rotation

Availability & Resilience

99.9% uptime SLA with real-time status at status.thorbis.com
Multi-region read replicas for disaster recovery failover
Automated health checks and self-healing container restarts
Staged rollouts prevent a bad deploy from affecting all users at once

Authentication & access control

We use Supabase Auth for all authentication flows, with short-lived tokens, secure cookie storage, and role-based access controls scoped to your company.

JWT tokens with short expiry

Supabase Auth issues JWTs with a 1-hour expiry. Refresh token rotation is enabled — each use issues a new token and invalidates the old one, limiting the window for stolen token abuse.

Multiple authentication methods

Email/password with bcrypt hashing, magic link (passwordless email), and OAuth providers (Google, Microsoft). Passwords are never stored in plaintext.

HttpOnly secure cookies

Session tokens are stored in httpOnly, Secure, SameSite=Lax cookies — not localStorage. This prevents JavaScript from reading the token, blocking the most common XSS token theft vector.

Role-based access control (RBAC)

Five built-in roles: Owner, Admin, Dispatcher, Technician, and View-Only. Each role has a narrowly scoped permission set. Technicians cannot access financial data or customer payment methods.

Row-Level Security on every query

Every Supabase query is automatically scoped to the authenticated user's company_id via RLS policies. Even if application code contained a bug, the database engine would reject cross-tenant queries.

Service role key never exposed to clients

The Supabase service role key (which bypasses RLS) is stored only in server-side environment variables and is never included in client-side bundles or API responses.

Data isolation

Your data is never commingled with another company's data. Isolation is enforced at the database engine level — not just by application code.

Company-scoped at the schema level

Every table that stores business data includes a company_id column. There is no shared table that mixes data from different tenants without strict filtering.

Database-enforced, not application-enforced

RLS policies are defined directly in PostgreSQL. The application layer cannot issue a query that returns another company's data — the database rejects it at the engine level before any results are returned.

Defense in depth

Even if an application bug, misconfigured query, or compromised dependency attempted to access cross-tenant data, the RLS policy would block it. Isolation does not depend on a single layer being correct.

Supabase service role access is restricted

Only background workers that require privileged access (such as migration scripts and scheduled jobs) use the service role. All user-facing API routes use the authenticated client, which is subject to full RLS enforcement.

Payment security

Thorbis never stores, processes, or transmits raw card numbers. All payment data is handled by PCI DSS Level 1 certified processors.

Payrix — field service payments

Level 1 PCI DSS

Payrix handles all card data for job invoices and field payments. Thorbis never stores, processes, or transmits raw card numbers. Payrix is a Level 1 PCI DSS certified payment processor — the highest certification tier.

Stripe — subscription billing

Level 1 PCI DSS

Stripe handles all subscription and platform billing. Stripe is also Level 1 PCI DSS certified. Card details entered on Stripe Checkout or Stripe Elements are tokenized in the browser and never touch Thorbis servers.

Webhook signature verification

HMAC-SHA256

All incoming payment webhooks from Payrix and Stripe are verified using HMAC-SHA256 signature validation before processing. Unsigned or incorrectly signed webhooks are rejected immediately.

Communication security

SMS and email sent through Thorbis are authenticated, compliant, and protected against spoofing. Customer portal links use short-lived signed tokens.

SMS — Twilio A2P 10DLC

All outbound SMS messages are sent through Twilio's A2P 10DLC registered campaigns, which prevents carriers from classifying your messages as spam
STOP, HELP, and CANCEL keywords are handled automatically — opt-outs are honored within 24 hours as required by TCPA
Message content logs are retained for compliance audits but are access-controlled and not shared with other tenants

Email — SendGrid with full authentication

DKIM signatures are configured for all outbound email domains so receiving servers can verify message authenticity
SPF records restrict which servers are authorized to send on behalf of your domain
DMARC policy (p=quarantine) instructs receiving servers to quarantine unauthenticated messages that claim to come from your domain
Outbound email is routed through SendGrid's dedicated IP pools with established sending reputation

Customer portal security

Customer portal links use time-limited signed tokens — links expire after 72 hours by default
No sensitive data (payment amounts, personal details) is included in URL parameters
Portal sessions are scoped to a single customer record and cannot be used to access other customers' data

Certifications & compliance

We align with the compliance frameworks that matter to field service contractors — from SOC 2 and GDPR to TCPA and PCI DSS.

SOC 2 Type II

Audit in progress

Security controls are aligned to the SOC 2 Trust Services Criteria. The formal Type II audit is underway; the report is expected Q4 2025 and will be available under NDA upon request.

GDPR

Compliant

Data Processing Agreements (DPAs) are available for all customers. EU Standard Contractual Clauses (SCCs) govern any data transferred outside the EU. Data subject requests (access, deletion, portability) are fulfilled within 30 days. EU data residency is available upon request.

CCPA

Compliant

California consumers have the right to know, delete, and opt out of the sale of their personal information. Thorbis does not sell personal data. Data deletion requests are processed within 45 days.

TCPA (SMS)

Compliant

All SMS campaigns require prior express written consent. STOP/HELP/CANCEL auto-responses are enabled by default. Opt-outs are honored within 24 hours. Message frequency disclosures are included in opt-in confirmations.

PCI DSS

Delegated to processors

Thorbis delegates all cardholder data handling to Payrix (field payments) and Stripe (subscriptions), both of which hold Level 1 PCI DSS certification. Thorbis itself is a SAQ-A merchant and does not store, process, or transmit cardholder data.

Annual penetration testing

Active

Independent third-party penetration tests and vulnerability assessments are performed annually. Findings are remediated on a risk-prioritized schedule. Executive summaries are available under NDA.

Employee security controls

MFA required for all employee accounts
SSO enforced for all internal tooling
Least-privilege access — employees only see what their role requires
Background checks required for employees with production access
Security awareness training completed annually by all staff
Offboarding checklist revokes all access within 2 hours of departure

Incident response

We define three severity tiers with documented response times, communication requirements, and postmortem obligations. Security issues can be reported to security@thorbis.com.

Data breach / security incident

0–15 minAutomated detection and on-call alert
4 hoursAffected customer notification with known impact scope
24 hoursInterim remediation report and containment confirmation
7 daysPublic postmortem with root cause, timeline, and prevention measures

Full service outage

0–30 minDetection and incident opened on status page
2 hoursEstimated resolution time posted to status page
ResolutionPost-incident summary posted within 24 hours

Degraded performance

0–1 hourDetection and investigation begins
1 hourLogged to status page with impact description
ResolutionStatus page updated when performance returns to normal

Report a security vulnerability

Email security@thorbis.com with details. We acknowledge all reports within 24 hours and follow a coordinated disclosure process. We do not pursue legal action against researchers acting in good faith.

Frequently asked questions

Still have security questions?

Our security team can complete questionnaires, provide documentation under NDA, or schedule a technical review call for enterprise prospects.

Email security@thorbis.com View status page

Security & trust

Protecting your business is our highest priority

Thorbis was designed with security at its core. From encrypted data storage to rigorous compliance programs, we protect sensitive information for contractors of every size.

Request our security packet View uptime status

Security pillars

Enterprise-grade infrastructure

Thorbis is hosted on Supabase (PostgreSQL) with Vercel Edge Network, regional redundancy, automated backups, and 99.9%+ uptime. Data is isolated and encrypted at every layer.

Secure development lifecycle

All code changes undergo peer review, automated testing, and static analysis. Secrets management, least privilege access, and dependency scanning are mandatory.

Compliance alignment

Thorbis aligns with SOC 2 Type II controls, GDPR, CCPA, and TCPA requirements. We maintain DPA agreements, subprocessors lists, and annual penetration tests.

Customer data ownership

You control your data. We provide full export capabilities, configurable data retention policies, and prompt deletion upon account cancellation.

Infrastructure

Supabase (PostgreSQL)

Row-Level Security (RLS) enabled on every table — tenant isolation enforced at the database engine, not just the application layer
Connection pooling via pgBouncer keeps connection counts manageable under high concurrency
WAL-based point-in-time recovery (PITR) — restore your data to any second within the retention window
Automated daily backups with 30-day retention, stored in a separate AWS region

Vercel Edge Network

TLS 1.3 enforced on all connections — TLS 1.0 and 1.1 are disabled globally
Automatic HTTPS with managed certificate rotation, no manual renewal required
Anycast DDoS protection at the network edge absorbs volumetric attacks before they reach application servers
HTTP Strict Transport Security (HSTS) with a one-year max-age preloads your domain in browsers

Encryption

AES-256 encryption at rest for all database volumes and file storage
TLS 1.3 in transit for every request between clients, edge nodes, and origin servers
AWS S3 for file and photo storage — buckets are private by default, access granted only via signed short-lived URLs
Encryption keys managed by AWS KMS with automatic annual rotation

Availability & Resilience

99.9% uptime SLA with real-time status at status.thorbis.com
Multi-region read replicas for disaster recovery failover
Automated health checks and self-healing container restarts
Staged rollouts prevent a bad deploy from affecting all users at once

Authentication & access control

We use Supabase Auth for all authentication flows, with short-lived tokens, secure cookie storage, and role-based access controls scoped to your company.

JWT tokens with short expiry

Supabase Auth issues JWTs with a 1-hour expiry. Refresh token rotation is enabled — each use issues a new token and invalidates the old one, limiting the window for stolen token abuse.

Multiple authentication methods

Email/password with bcrypt hashing, magic link (passwordless email), and OAuth providers (Google, Microsoft). Passwords are never stored in plaintext.

HttpOnly secure cookies

Session tokens are stored in httpOnly, Secure, SameSite=Lax cookies — not localStorage. This prevents JavaScript from reading the token, blocking the most common XSS token theft vector.

Role-based access control (RBAC)

Five built-in roles: Owner, Admin, Dispatcher, Technician, and View-Only. Each role has a narrowly scoped permission set. Technicians cannot access financial data or customer payment methods.

Row-Level Security on every query

Every Supabase query is automatically scoped to the authenticated user's company_id via RLS policies. Even if application code contained a bug, the database engine would reject cross-tenant queries.

Service role key never exposed to clients

The Supabase service role key (which bypasses RLS) is stored only in server-side environment variables and is never included in client-side bundles or API responses.

Data isolation

Your data is never commingled with another company's data. Isolation is enforced at the database engine level — not just by application code.

Company-scoped at the schema level

Every table that stores business data includes a company_id column. There is no shared table that mixes data from different tenants without strict filtering.

Database-enforced, not application-enforced

Defense in depth

Supabase service role access is restricted

Payment security

Thorbis never stores, processes, or transmits raw card numbers. All payment data is handled by PCI DSS Level 1 certified processors.

Payrix — field service payments

Level 1 PCI DSS

Stripe — subscription billing

Level 1 PCI DSS

Webhook signature verification

HMAC-SHA256

All incoming payment webhooks from Payrix and Stripe are verified using HMAC-SHA256 signature validation before processing. Unsigned or incorrectly signed webhooks are rejected immediately.

Communication security

SMS and email sent through Thorbis are authenticated, compliant, and protected against spoofing. Customer portal links use short-lived signed tokens.

SMS — Twilio A2P 10DLC

All outbound SMS messages are sent through Twilio's A2P 10DLC registered campaigns, which prevents carriers from classifying your messages as spam
STOP, HELP, and CANCEL keywords are handled automatically — opt-outs are honored within 24 hours as required by TCPA
Message content logs are retained for compliance audits but are access-controlled and not shared with other tenants

Email — SendGrid with full authentication

DKIM signatures are configured for all outbound email domains so receiving servers can verify message authenticity
SPF records restrict which servers are authorized to send on behalf of your domain
DMARC policy (p=quarantine) instructs receiving servers to quarantine unauthenticated messages that claim to come from your domain
Outbound email is routed through SendGrid's dedicated IP pools with established sending reputation

Customer portal security

Customer portal links use time-limited signed tokens — links expire after 72 hours by default
No sensitive data (payment amounts, personal details) is included in URL parameters
Portal sessions are scoped to a single customer record and cannot be used to access other customers' data

Certifications & compliance

We align with the compliance frameworks that matter to field service contractors — from SOC 2 and GDPR to TCPA and PCI DSS.

SOC 2 Type II

Audit in progress

Security controls are aligned to the SOC 2 Trust Services Criteria. The formal Type II audit is underway; the report is expected Q4 2025 and will be available under NDA upon request.

GDPR

Compliant

CCPA

Compliant

California consumers have the right to know, delete, and opt out of the sale of their personal information. Thorbis does not sell personal data. Data deletion requests are processed within 45 days.

TCPA (SMS)

Compliant

PCI DSS

Delegated to processors

Annual penetration testing

Active

Independent third-party penetration tests and vulnerability assessments are performed annually. Findings are remediated on a risk-prioritized schedule. Executive summaries are available under NDA.

Employee security controls

MFA required for all employee accounts
SSO enforced for all internal tooling
Least-privilege access — employees only see what their role requires
Background checks required for employees with production access
Security awareness training completed annually by all staff
Offboarding checklist revokes all access within 2 hours of departure

Incident response

We define three severity tiers with documented response times, communication requirements, and postmortem obligations. Security issues can be reported to security@thorbis.com.

Data breach / security incident

0–15 minAutomated detection and on-call alert
4 hoursAffected customer notification with known impact scope
24 hoursInterim remediation report and containment confirmation
7 daysPublic postmortem with root cause, timeline, and prevention measures

Full service outage

0–30 minDetection and incident opened on status page
2 hoursEstimated resolution time posted to status page
ResolutionPost-incident summary posted within 24 hours

Degraded performance

0–1 hourDetection and investigation begins
1 hourLogged to status page with impact description
ResolutionStatus page updated when performance returns to normal

Report a security vulnerability

Frequently asked questions

Still have security questions?

Our security team can complete questionnaires, provide documentation under NDA, or schedule a technical review call for enterprise prospects.

Email security@thorbis.com View status page

Protecting your business is our highest priority

Security pillars

Enterprise-grade infrastructure

Secure development lifecycle

Compliance alignment

Customer data ownership

Infrastructure

Supabase (PostgreSQL)

Vercel Edge Network

Encryption

Availability & Resilience

Authentication & access control

Data isolation

Payment security

Payrix — field service payments

Stripe — subscription billing

Webhook signature verification

Communication security

SMS — Twilio A2P 10DLC

Email — SendGrid with full authentication

Customer portal security

Certifications & compliance

Incident response

Frequently asked questions

How is my customer data isolated from other companies?

What happens to my data if I cancel?

Do technicians have access to financial data?

Can I get a security review or complete a security questionnaire?

What are your backup and recovery policies?

Where is data stored?

How do you handle subprocessors?

Do you conduct penetration tests?

How do you handle incidents?

Is employee access to customer data logged?

Still have security questions?

Protecting your business is our highest priority

Security pillars

Enterprise-grade infrastructure

Secure development lifecycle

Compliance alignment

Customer data ownership

Infrastructure

Supabase (PostgreSQL)

Vercel Edge Network

Encryption

Availability & Resilience

Authentication & access control

Data isolation

Payment security

Payrix — field service payments

Stripe — subscription billing

Webhook signature verification

Communication security

SMS — Twilio A2P 10DLC

Email — SendGrid with full authentication

Customer portal security

Certifications & compliance

Incident response

Frequently asked questions

How is my customer data isolated from other companies?

What happens to my data if I cancel?

Do technicians have access to financial data?

Can I get a security review or complete a security questionnaire?

What are your backup and recovery policies?

Where is data stored?

How do you handle subprocessors?

Do you conduct penetration tests?

How do you handle incidents?

Is employee access to customer data logged?

Still have security questions?