Security at Engine

Plain version

Your business data is yours. Card numbers never touch our servers. Every business's data is isolated from every other business's. Everything is encrypted at rest and in transit. We don't sell your data, we don't share it with advertisers, and we don't use it to train any AI model. The rest of this page is the specifics.

Card payments

When your customers pay an Engine invoice with a card, the card details go directly to Stripe or Square - both certified PCI DSS Level 1, the highest tier. Engine never sees the full card number. We only receive a notification with the amount, last-4 digits, and a transaction ID for reference.

Stripe Connect direct charges and Square POS payments both flow customer → processor → your bank account. The money never sits in an Engine balance because we don't have one.

Encryption

• In transit: all traffic is HTTPS / TLS 1.2+. Plain HTTP requests are auto-redirected and never accepted.
• At rest: the database, file storage, and backups are encrypted with AES-256 by our cloud infrastructure providers. We never store unencrypted business data on disk.
• Passwords: hashed with bcrypt. We can't read your password even if we wanted to.
• Third-party tokens: when you connect Stripe or Square, the access tokens are stored encrypted in the same protected database. Only the edge functions that actually talk to those vendors can decrypt them.

Tenant isolation

Engine is multi-tenant: many businesses share the same underlying database. Every table that holds business data has row-level security policies enforcing that one business can never read or write another business's rows. The check runs at the database level on every single query - not in application code where a bug could leak data.

Storage buckets (job photos, receipts, customer-uploaded quote photos) are scoped the same way: file paths are prefixed with the business identifier and a storage policy blocks any read or write that tries to cross the boundary.

Authentication

• Email + password sign-in with strong-password requirements during signup.
• Sessions are JWT-based, expire automatically, and refresh in the background while you're active.
• Email confirmation required for new accounts (so someone can't sign up with an address that isn't theirs).
• Team members are invited by the business owner and can only access that business's data, scoped by their assigned role (owner, admin, dispatcher, technician).

Backups + recovery

The database is backed up daily by our infrastructure provider with point-in-time recovery available for the last 7 days. If you ever lose data due to your own action (e.g., an accidental delete) we can usually restore it - email us within a few days.

Incident response

If we discover a security incident affecting your data, we'll email all account owners within 72 hours with what we know, what we're doing about it, and what (if anything) you should do. We commit to honest disclosure even when it's embarrassing.

What we DON'T do

• We do not sell your data or your customers' data to anyone.
• We do not share data with advertisers or data brokers.
• We do not use your data, your customers' data, your photos, or anything else you put into Engine to train any AI model.
• We do not use third-party analytics or tracking cookies. The only cookie we set is the session token that keeps you logged in.

Compliance + certifications

PCI DSS: all card processing is handled by Stripe (PCI Level 1) and Square (PCI Level 1). Engine itself is out-of-scope for PCI because we never store card numbers.

SOC 2: Engine has not pursued SOC 2 certification yet. SOC 2 is primarily required by enterprise buyers; our target is solo + small-crew service operators where this hasn't come up. If you're evaluating Engine for an organization that requires SOC 2, email info@abixondigital.com and we'll discuss the timeline.

Reporting a vulnerability

Found something? Email info@abixondigital.com with details and reproduction steps. We respond to security reports within 48 hours and credit researchers in our release notes (with permission). Please give us a reasonable window to fix issues before public disclosure.