Security & Trust
You're managing client data, site access credentials, and financial records. Here's exactly how MoveKore protects it all.
Security-first by design
We don't bolt security on. It's woven into the architecture from day one.
End-to-End Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Portal tokens are URL secrets — they never appear in server logs or browser history.
Row-Level Security
Postgres RLS policies enforce org-level isolation at the database layer. An owner of Org A cannot read, write, or even enumerate Org B's records — ever.
Magic Link Auth
No passwords to store, breach, or rotate. Authentication uses one-time email links that expire in 15 minutes. Crew members never create accounts.
Zero-Knowledge Portals
Client and sub portals are tokenized URLs — no login required, no session cookie, no account. Tokens are validated server-side only and never sent to client JS.
Enterprise Cloud Infrastructure
Built on AWS US-East with automated daily backups and point-in-time recovery. SOC 2 Type II compliant infrastructure. All data residency in US regions.
Immutable Audit Trail
Every project action is logged to an append-only audit table. No UPDATE or DELETE policies exist on the audit log. Your compliance trail is tamper-proof.
Data practices
Who owns my data?
You do. Always. MoveKore never sells, rents, or analyzes your org's data for advertising. When you leave, you can request a full data export in JSON format within 30 days.
Where is data stored?
All data is stored in US-East AWS data centers. File uploads (photos, documents, COIs) are stored in private cloud storage with bucket-level access policies — URLs are signed and expire.
How are photos and documents protected?
Photos and documents are stored in private, policy-controlled cloud storage. Signed URLs expire after 1 hour. Crew cannot delete photos (enforced at the database layer, not just the UI). Pre-move condition reports are immutable once signed.
What about HIPAA compliance?
MoveKore includes a HIPAA Chain of Custody compliance item template for healthcare office moves. We do not process or store patient records — the chain-of-custody workflow ensures your crew doesn't either.
Do you have a responsible disclosure policy?
Yes. If you discover a security vulnerability, email security@movekore.com. We commit to acknowledging reports within 24 hours and providing a timeline within 72 hours.
How do you handle third-party integrations?
QuickBooks Online: OAuth 2.0 tokens are stored encrypted per-org. Dropbox Sign: webhook payloads are HMAC-verified before processing. We never store third-party credentials in plaintext.
Questions about security?
We're happy to walk through our architecture, provide penetration test summaries, or answer any security questionnaire your enterprise clients require.