Legal
Security
How StoneEx System protects your data in practice — encryption and HTTPS, tenant isolation backed by database row-level security, OAuth, role-based access control, backups, infrastructure, and how we work with AI and integration providers.
1. Our approach to security
Security is built into how StoneEx System is designed and operated, not added on afterward. Your shop runs its business in the platform — customers, projects, drawings, financials, and communications — and protecting that data is fundamental to earning your trust. This page describes the technical and organizational measures we use to keep your information confidential, available, and isolated from other organizations.
For a plain-language overview of data protection and portability, see our Security & Data page. This page goes deeper into the specific controls behind the platform.
2. Encryption and HTTPS
All traffic to and from StoneEx System is encrypted in transit using HTTPS (TLS). The application is served exclusively over secure connections, and security-related response headers are applied across the site.
Sensitive credentials are encrypted at rest. In particular, the access and refresh tokens for the third-party integrations you connect — such as QuickBooks Online, Google, and Twilio — are stored as strong, authenticated ciphertext (AES-256-GCM) and are never stored or logged in plaintext. Application secrets and platform keys are held server-side and are never shipped to the browser.
3. Tenant isolation and row-level security
StoneEx System is multi-tenant: every organization has its own isolated workspace. We enforce that isolation in depth. Every request is scoped to the organization it belongs to, determined on the server and never trusted from the client, and every database query runs through an organization-scoped data client.
As a second, independent layer of defense, the database enforces row-level security (RLS): policies at the database level restrict each query to rows belonging to the current organization, so even a flaw in application code cannot expose one organization’s data to another. Isolation is a first-class property of the platform, validated as part of how we build and test it.
4. Authentication and access control
Users sign in with a passwordless magic link or with Google sign-in, so there is no reusable password to be phished or reused. Sessions are managed with secure, signed cookies.
Within an organization, access is governed by role-based permissions. Authorization is checked on every operation using a default-deny model with explicit role checks, so users — and field-app roles such as templaters and installers — see only the information appropriate to their role. Administrators manage members, roles, and which integrations are connected.
5. OAuth and third-party integrations
Integrations are connected through secure OAuth authorization flows rather than by handing over passwords. When you connect QuickBooks Online, Google (Gmail, Calendar, or Drive), or Twilio, StoneEx System receives scoped tokens that are encrypted, stored per organization, and used only to provide the feature you enabled. You can disconnect any integration at any time, which revokes our stored access.
- Inbound webhooks are verified. Messages we receive from integration providers are signature-verified and processed idempotently, so a forged or replayed request cannot inject or duplicate data.
- Least privilege. We request only the scopes needed for the features you use, and financial actions are never taken in your accounting system without your explicit confirmation.
- Payment data. Subscription payments are processed by Stripe. Card details are handled by Stripe under its PCI-compliant environment; StoneEx System does not receive or store full payment card numbers.
6. AI providers
Optional AI features are powered by established providers — currently Anthropic (Claude) and OpenAI — accessed through their commercial APIs. Content is sent to these providers only when a user invokes an AI feature, is transmitted over encrypted connections, and is processed solely to return a result. Under the commercial API terms we use, provider APIs do not use your content to train their models. AI output is assistive and should be reviewed before it is relied upon.
7. Infrastructure and data storage
The Service runs on modern, managed cloud infrastructure in the United States. Application data is stored in a managed PostgreSQL database; background processing uses a managed queue; and uploaded media and documents are stored in dedicated object storage rather than in the database.
Uploads are handled with signed URLs and validated by type and size, and media is served from object storage rather than embedded in application records. Long-running and external work runs through background workers rather than in the request path, which keeps the interactive application responsive and its failure modes contained.
8. Backups and availability
The managed database is backed up on a regular schedule to protect against data loss, and backups are encrypted. We monitor the health and performance of the Service continuously and design the platform to recover gracefully from failures. While no online service can guarantee uninterrupted availability, our architecture and operational practices are aimed at keeping your data safe and available when you need it.
9. Monitoring, logging, and secrets
We monitor the Service with application error reporting and structured operational logs. Logs are tagged with request and organization identifiers to help us diagnose issues, and are deliberately kept free of credentials, secrets, and raw sensitive message content.
Secrets — including database credentials, the encryption key, and integration and provider tokens — are managed server-side and are never exposed in client code or bundles. Public and authentication endpoints are rate-limited to resist abuse. We validate and narrow untrusted input at the boundary and use parameterized database queries throughout.
10. Your data and portability
The data your organization stores in StoneEx System belongs to you. You can export your records in common formats, download drawings as DXF or PDF, and disconnect integrations at any time, so you keep control of your information and avoid vendor lock-in. How we handle, retain, and delete data is described in our Privacy Policy.
11. Reporting a security issue
We welcome reports from security researchers and customers. If you believe you have found a vulnerability or a security concern in StoneEx System, please contact us so we can investigate and respond. We ask that you give us a reasonable opportunity to address an issue before disclosing it publicly, and that you avoid accessing or modifying data that is not your own.
StoneEx System — Securitysecurity@stoneexsystem.com