Security at Rogger

• TLS 1.2+ enforced at the edge (Cloudflare) and origin (Traefik with Let's Encrypt certificates).
• HTTP Strict Transport Security (HSTS) set with a 1-year max-age, includeSubDomains, and preload eligibility.
• TLS 1.0 and 1.1 disabled; TLS 1.3 negotiated where the client supports it.
• Outbound SMTP from customer-configured providers enforces TLS 1.2+ minimum and STARTTLS; plaintext port 25 is blocked at the application layer.

• All customer-supplied third-party credentials (SMTP passwords, API keys) are encrypted with AES-256-GCM before they touch the database.
• Encryption keys are derived from a master key stored outside the database; key rotation is supported.
• Passwords are hashed with bcrypt (cost factor 10+) — plaintext passwords are never logged or stored.
• End-consumer email addresses and phone numbers are stored only as SHA-256 hashes for duplicate-detection; the originals are not retained.

• Role-based access control: business-owner, admin, staff, super-admin roles with least-privilege separation.
• Session tokens are JWTs stored in HttpOnly, SameSite=Lax, Secure cookies scoped to the rogger.io domain.
• Every user carries a token-version counter — revoking a session invalidates every existing JWT for that user immediately.
• API access uses short-prefixed keys (ist_live_…, ist_test_…) that can be revoked individually.
• Multi-factor authentication for admin accounts is on the Q2 roadmap.

• Global request rate-limiting (100/min default, tighter per-route where appropriate).
• Login endpoint: 20 requests per 10 minutes per IP. Sign-up: 5 per hour per IP.
• Messaging-config verify endpoint: 10 per minute per business to slow credential-guessing.
• Every failed and successful authentication is recorded in the audit log with IP and user agent.

• Every security-relevant action is written to an append-only audit log: authentication, credential changes, billing events, reviews admin actions, business-profile changes. Audit entries are not edited or deleted in normal operation.
• Audit entries capture actor, action, entity, timestamp, and request context (IP, user agent).
• Business customers can, on request, receive an export of the audit log for their own tenant — useful for their own compliance programs.

• Every query is scoped to the authenticated tenant's business ID via a Fastify plugin that runs before any route handler.
• API keys are single-tenant; they cannot read across business boundaries.
• No customer data is shared with other customers or used to train AI models.

• Primary hosting: Australia.
• Automated Postgres backups: nightly, encrypted, retained 30 days. Weekly full + daily incremental.
• Backups stored offsite in local data-centre infrastructure with a separate credential set.
• Restore drills are performed quarterly against a throwaway environment to confirm recoverability.

• Dependency scanning via Dependabot with weekly reviews; critical CVEs patched within 7 days, high within 30.
• Container scanning via Trivy on every build.
• Security-relevant code changes reviewed before merge.
• Annual external penetration test planned for the first production anniversary.

• Application errors captured in a dedicated error-monitoring system.
• Alerts on anomalous authentication patterns (failed-login bursts, after-hours admin activity).
• Published incident history at status.rogger.io.
• Security disclosures accepted at [email protected] or via our security.txt.

If we determine that a data breach is likely to result in serious harm to affected individuals, we notify those individuals and the Office of the Australian Information Commissioner (OAIC) within the statutory 30-day window under the Notifiable Data Breaches scheme. Equivalent GDPR 72-hour notification applies to EU data subjects.

Rogger is not currently certified to SOC 2 or ISO 27001. Our controls are designed against both frameworks, and we are working toward ISO 27001:2022 certification. Our current readiness state is documented internally and available to enterprise prospects under NDA.

We do not claim certifications we do not hold. When we achieve certification, a dated attestation will be linked here.

The complete list of third-party services that process customer data, with each subprocessor's role and location, is maintained at rogger.io/subprocessors.

• Security disclosures: [email protected]
• Privacy inquiries: [email protected]
• Customer support: [email protected]

Responsible disclosure: we do not take legal action against security researchers who act in good faith, give us reasonable time to remediate, and do not access data beyond what is necessary to demonstrate the issue.