Security Overview.

JobSite Intel AI, part of Varshyl Inc., takes the security of customer information seriously. This Security Overview describes the technical and organizational safeguards we use to protect your data.

Security is a shared responsibility. We implement the measures described here; users play an important role in keeping their accounts secure.

Authentication and Access Controls

• Password security: User passwords are hashed using bcrypt with an appropriate work factor. Plaintext passwords are never stored or logged.
• JWT-based authentication: Platform sessions use cryptographically signed JSON Web Tokens (JWT) with defined expiry periods.
• Organization-scoped data isolation: The platform uses multi-tenant architecture. All data — projects, logs, media, reports — is scoped to a specific organization. API routes enforce organization membership checks on every request. Organization IDs are read exclusively from authenticated JWT tokens, never from request parameters or body.
• Role-based access controls: Within an organization, access to data is further restricted by role (Admin, Owner, Superintendent, Field Worker). Field workers see only data they are authorized to access.
• Apple and Google Sign-In: OAuth tokens from Apple and Google are verified against provider APIs before any platform session is issued.

Data Transmission and Storage Security

• Encrypted transmission: All data in transit uses TLS 1.2+/HTTPS. Plain HTTP connections are rejected.
• HMAC-signed file access: Media files (photos, videos, audio) are stored on private infrastructure. Access requires cryptographically signed, time-limited URLs generated using HMAC-SHA256. Files cannot be accessed directly without a valid signed URL scoped to the requesting user's organization.
• Storage key namespacing: All storage objects are prefixed with the organization ID (orgs/{orgId}/...). Cross-organization file access is rejected at the API layer before any storage operation is attempted.

Infrastructure Security

• Cloud hosting: Platform infrastructure runs on Railway, a reputable cloud provider with industry-standard security certifications.
• Database security: Application database access uses parameterized queries via Prisma ORM. Organization IDs are never sourced from user-supplied request data.
• Error monitoring: We use Sentry for error monitoring and performance tracking. Sentry is configured to strip authentication tokens and sensitive credentials from error reports.
• Security headers: The API uses Helmet.js to set appropriate HTTP security headers including HSTS, X-Content-Type-Options, and CSP.

Ongoing Security Practices

• Regular security reviews: We conduct security audits before major releases and when new features are added.
• Dependency monitoring: We monitor for known vulnerabilities in third-party dependencies.
• Minimal access principle: Internal personnel access to production data is restricted to those with a legitimate business need.
• Incident response: We maintain documented procedures for responding to security incidents. In the event of a confirmed breach affecting your data, we will notify affected customers as required by applicable law.

User Responsibilities

• Keep login credentials confidential and do not share passwords.
• Use a strong, unique password for your JobSite Intel AI account.
• Log out of sessions when using shared or public devices.
• Report suspicious activity immediately to kapilav@varshyl.com.
• Keep devices used to access the platform reasonably secure.

Responsible Disclosure

If you believe you have discovered a security vulnerability in JobSite Intel AI, please report it to us immediately at kapilav@varshyl.com.

Include a description of the vulnerability, steps to reproduce it, and any supporting evidence. We will investigate all credible reports promptly and keep you informed of our progress.

We ask that you act in good faith and do not exploit any vulnerability beyond what is necessary to demonstrate it, not access or modify other users' data, and give us a reasonable timeframe to investigate and resolve the issue before public disclosure.

Limitations

No system can guarantee absolute security. Despite our efforts, no internet-based platform can be guaranteed completely secure against all threats.