Legal

Security

Effective: May 1, 2026

Trade business owners trust us with their customer records, their pricing, and their bottom line. We take that seriously. Here is exactly how we protect your data.

1. Encryption

All data in transit between your browser, the TradeOS API, and our backend is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Database backups are encrypted before they are written to storage.

2. Authentication

TradeOS uses Manus OAuth for authentication. Sessions are managed via secure, HTTP-only cookies with a one-year max-age. Passwords are never stored by TradeOS; authentication is handled by the identity provider.

3. Tenant Isolation

Every customer record, job, quote, invoice, technician, and customer note is scoped to your account at the database query layer. Our backend procedures enforce ownership checks on every read and write. We regularly audit the codebase for tenant-isolation regressions.

4. Payment Security

Payment processing is handled by Stripe (PCI Level 1 certified). Card numbers, CVCs, and bank account details never touch our servers. We only receive a tokenized reference and a payment status webhook.

5. Infrastructure

TradeOS runs on managed cloud infrastructure with hardened defaults. Production database access is limited to a small set of named operators with mandatory two-factor authentication. All administrative actions are logged.

6. Backups & Recovery

We perform automated daily backups of the production database and retain them for 30 days. Backups are tested for restorability on a quarterly schedule. Our target Recovery Time Objective (RTO) is under 4 hours; our target Recovery Point Objective (RPO) is under 24 hours.

7. Vulnerability Management

Dependencies are scanned automatically on every deploy. Critical security patches are applied within 24 hours of release. We follow responsible disclosure practices and welcome reports from security researchers.

8. Reporting a Security Issue

Found something? Email [email protected] with as much detail as you can. We will acknowledge receipt within 1 business day and provide an update within 5 business days. We do not currently offer a paid bug bounty, but we will publicly credit (with your permission) researchers who report material issues responsibly.

9. Compliance Roadmap

TradeOS is currently working toward SOC 2 Type II readiness. Targeted completion is Q4 2026. We will publish the report and a public security trust center once available.

10. Customer Responsibilities

Security is a partnership. We strongly recommend that you:

  • Use a strong, unique password on your Manus account.
  • Enable two-factor authentication.
  • Limit who in your business has access to TradeOS.
  • Notify us immediately at [email protected] if you suspect an account compromise.