How we protect your data.

Your data sits in a managed PostgreSQL database powered by Supabase, hosted on enterprise infrastructure in the United States. The application runs on Vercel — same platform GitHub, Stripe, and The Washington Post use. Your data never lives on a laptop, a thumb drive, or a shared spreadsheet.

• TLS 1.2+ in transit. All connections between your browser and our servers are encrypted. HSTS enforced — connections can never be downgraded.
• AES-256 at rest. All data stored in our database is encrypted at rest with the same standard used by government and financial institutions.
• Field-level encryption for sensitive data. SSNs, salary data, and medical info get an additional AES-256-GCM layer with unique per-account keys. Even raw database access wouldn't expose them.
• Encrypted audit logs. Security audit logs encrypted with a separate dedicated key, protecting the integrity of your compliance trail.

• PostgreSQL Row-Level Security.Every tenant table has RLS policies enforced at the database level. No application bug can accidentally expose one customer's data to another.
• Tenant context enforcement. Each API request sets a database-level session variable identifying the current organization. RLS policies reference this variable to filter all queries automatically.
• Defense in depth. Isolation is enforced by the database engine, not just application logic. Survives even if application-level checks have a vulnerability.

• Email and password. 8+ characters, mixed case, numbers. Hashed with bcrypt (12 salt rounds). Never stored in plain text.
• Google SSO. OAuth 2.0 for streamlined corporate access.
• Magic-link sign-in. Passwordless via email with one-time tokens that expire in 5 minutes.
• 2FA / MFA. Authenticator apps (TOTP), SMS, email, and backup recovery codes. Admins can require 2FA org-wide.
• Account lockout. Auto-lock after repeated failed login attempts (30-minute cooldown).
• Session management. HTTP-only, secure cookies with SameSite=strict. Users can view and revoke active sessions per device.

Access to data is governed by a granular role system. Sensitive fields (SSN, salary, medical) are only visible to roles explicitly granted access, and every access is logged.

• XSS. Content Security Policy with nonce-based script validation. All user input sanitized.
• CSRF. Per-request tokens with constant-time comparison.
• SQL injection. Parameterized queries throughout. SQL identifier validation and sanitization on all inputs.
• Clickjacking. X-Frame-Options DENY; frame-ancestors CSP directive blocks embedding.
• Rate limiting. Redis-backed rate limiting on all API endpoints to prevent abuse and brute-force attacks.
• CORS whitelist. Only authorized origins can make API requests. Webhook signatures cryptographically verified.

• SSNs and financial data encrypted with dedicated, per-account AES-256-GCM keys.
• Every access to sensitive data is logged with who, when, and from where.
• IP allowlisting available for HR admin functions.
• MFA enforcement can be required for any role accessing sensitive HR data.
• Document access levels (public, employee-only, manager-only, HR-only, payroll-only) control who sees what.
• Profile privacy controls let employees manage the visibility of their personal info.

• Automatic daily backups of the entire database with 7-day retention.
• Point-in-time recovery for granular restoration to any moment.
• Encrypted backup storage in geographically isolated infrastructure.

• Real-time error tracking via Sentry with PII filtering.
• Security event logging — login attempts, access grants, role changes, sensitive data access — with timestamps, IPs, and user agents.
• CSP violation reporting to our monitoring endpoint.
• Confirmed incidents investigated, contained, and customers notified within 72 hours with a post-incident report.
• Passwords, tokens, and secrets stripped from all log output.

Built on enterprise-grade cloud services with independent security certifications.

• Use a strong, unique password (8+ chars with uppercase, lowercase, numbers).
• Enable two-factor authentication for your account.
• Never share your login credentials.
• Log out from shared or public computers after use.
• Review your organization's user list regularly and remove access for departing employees promptly.
• Report suspicious activity to security@lvlupperformance.com immediately.

If you discover a security vulnerability, please report it before disclosing it publicly. Email security@lvlupperformance.com with a description, steps to reproduce, and the potential impact. We acknowledge within 48 hours and aim to provide an initial assessment within 5 business days.