Security & Trust
Last updated May 7, 2026
This page is the canonical statement of RowRouter’s security posture. It is written for buyers, security reviewers, and anyone completing a vendor questionnaire. Every claim below corresponds to a control implemented in production today — not a roadmap or a marketing summary. Where we don’t have a control yet, we say so explicitly.
1. Posture summary
- Operator: RowRouter is a small, focused team. We do not subcontract development, support, or operations to third parties. Production access is limited to the founder.
- Hosting region: United States (Fly.io, Ashburn / U.S. East). Customer data does not transit other regions in the normal course of operation.
- Tenant model: single-region, multi-tenant Postgres with row-level scoping by Operator. There is no shared dataset across tenants other than schema and feature configuration.
- Authentication: passwordless. Operators sign in via single-use email magic links; recipients authenticate by possession of an opaque per-row token in the link URL.
- Audit: every link open, submit, retry, and upstream API response is recorded with a timestamp, IP, and the HTTP status returned by the connected data source.
- Compliance status: a published Data Processing Addendum incorporating EU Standard Contractual Clauses, UK IDTA, and Swiss FDPIC adequacy. CCPA Service Provider terms are certified explicitly in the DPA. We do not hold a SOC 2 attestation today — see §10 for our position.
2. Encryption
2.1 In transit
All operator and recipient traffic is served over HTTPS with TLS 1.2+ enforced at the edge by Fly.io. HTTP requests are redirected to HTTPS. The dashboard is gated by an HTTP-only, secure, same-site session cookie (rr_session) carrying an HMAC‑SHA256-signed payload. Recipient links use opaque 43-character tokens transmitted only over HTTPS; the token-redaction middleware sets Referrer-Policy: no-referrer on recipient pages so outbound links cannot leak the URL.
2.2 At rest
- Connection credentials for every connected data source — Personal Access Tokens, OAuth access tokens, and OAuth refresh tokens — are encrypted with AES-256-GCM using versioned keys. Each ciphertext carries its own initialization vector and authentication tag and is bound to its connection ID and role (PAT, access, or refresh) via additional authenticated data (AAD), so a ciphertext cannot be transplanted between rows or roles without breaking the tag check.
- Recipient link tokens are stored only as their SHA-256 hash. Once a link is issued, the plaintext value is not recoverable from our database — including by us. Lookup is constant-time against the hash column.
- Operator magic-link tokens are stored only as their SHA-256 hash, single-use, and invalidated 15 minutes after issue.
- Database storage is hosted on Fly Postgres with volume-level encryption at rest provided by the underlying infrastructure.
3. Authentication and session security
- No passwords. RowRouter does not store password hashes or accept password-based sign-in. Operator authentication is exclusively by single-use email magic link.
- Magic-link expiry: 15 minutes from issue. Tokens are single-use; consumption invalidates the token.
- Session cookie: 30-day sliding lifetime, HTTP-only,
Secure,SameSite=Lax, signed with HMAC-SHA256. The cookie holds an opaque session identifier; no personally identifying data is stored client-side. - Recipient access is by capability: possession of the opaque link token authorizes exactly one record edit, scoped to exactly the fields the Operator allowed. Recipients never create accounts and cannot enumerate other rows.
- OAuth refresh is centralized in a single helper (
getCredentialsForConnection) that delegates to the relevant provider’srefreshCredentialsimplementation. Failed refreshes mark the connection revoked automatically so a leaked or rotated refresh token cannot be re-used silently.
4. Audit logging
Every interaction with a recipient link generates an edit_event row capturing: timestamp, link ID, recipient IP, user-agent string, event type (open, submit_ok, submit_failed, etc.), the upstream provider’s HTTP status code, and any error message returned. The Operator can inspect this log for any link they generated. Audit-event data is retained for the life of the parent form and is not surfaced to recipients.
5. Access controls
- Tenant isolation. Every data-bearing query is scoped by
user_idat the application layer. Forms, connections, links, audit events, and pending submissions cannot be read or written by an Operator other than their owner. - Administrative access to the production database is restricted to the founder via Fly.io machine access controls and SSH key authentication. There is no third-party support tooling with read/write access to customer records.
- Production isolation. The production environment is separate from staging and local development. No customer data is copied into non-production environments.
- Secrets management. Application secrets (encryption keys, API keys, signing secrets) are stored in Fly.io’s encrypted secrets store and injected as environment variables; they are not committed to source control.
6. Subprocessors
The complete list of subprocessors that may receive Personal Data processed on an Operator’s behalf, with the function each performs and the country of primary processing:
| Subprocessor | Function | Region | Transfer mechanism |
|---|---|---|---|
| Fly.io, Inc. | Application hosting, Postgres database, operational logs | United States (Ashburn, VA) | EU SCCs / UK IDTA |
| Resend, Inc. | Transactional email delivery (sign-in + recipient invites) | United States | EU SCCs / UK IDTA |
| Stripe, Inc. (and EU/UK affiliates) | Subscription billing and payment processing | United States; EEA payments routed via Stripe Payments Europe Ltd. (Ireland) | EU SCCs (intra-Stripe) / UK IDTA; Stripe is the controller of payment-card data |
Connected data sources (Airtable, Notion, monday.com, HubSpot, Smartsheet, Shopify, QuickBooks Online) are the destinations the Operator chooses to expose and are not subprocessors of RowRouter; the Operator’s relationship with each provider is governed independently.
Operators are notified of any new subprocessor at least 30 days before it begins processing Personal Data, with the right to object on reasonable data-protection grounds (see DPA §6).
7. Data retention
Retention durations are codified in the Privacy Policy §8 and summarized here for procurement review:
- Account records (Operator email, name) — for the life of the account.
- Magic-link tokens — invalidated on consumption or after 15 minutes; purged on a rolling basis.
- Connection credentials — retained encrypted until the Operator disconnects or deletes the connection.
- Recipient links and audit events — retained while the parent form is active.
- Server logs and operational metrics — age out on a short rolling window unless retained longer to investigate a specific incident.
- Post-termination Customer Data — retained for 30 days for export, then deleted from active systems. Operational backups age out per Fly.io’s retention schedule.
8. Incident response and breach notification
- Triage: we acknowledge security reports within 24 hours.
- Investigation: incidents are investigated against the audit log and provider-side records; affected rows and connections are isolated as needed.
- Notification: in the event of a Personal Data breach affecting Customer Data, we notify the affected Operator without undue delay and in any event within 72 hours of becoming aware, providing the information required by Art. 33 GDPR for the Operator to discharge its own notification obligations (DPA §8).
- Token-redaction middleware (
x-rr-path-redacted) prevents recipient link tokens from being captured by structured logging or third-party SDKs.
9. Compliance and certifications
- GDPR & UK GDPR — Article 28 processor terms. Published in our standing Data Processing Addendum, including EU Standard Contractual Clauses, UK IDTA, and Swiss FDPIC adequacy as applicable.
- CCPA / CPRA — Service Provider certification. RowRouter is certified as a Service Provider under Cal. Civ. Code §1798.140(ag) within the DPA. We do not sell Personal Information, share it for cross-context behavioral advertising, or retain, use, or disclose Personal Information outside the direct business relationship with the Operator.
- HIPAA: RowRouter is not a HIPAA-suitable vendor. Operators must not configure the Service to process Protected Health Information.
10. SOC 2 status
RowRouter does not currently hold a SOC 2 attestation. We have chosen to defer SOC 2 audit work until customer demand for attestation is concrete — i.e., until specific deals require it. This is an explicit decision, not an oversight. The reasoning:
- A SOC 2 audit costs $20–30K all-in and consumes 100+ founder hours of evidence collection over a 6-month evidence window.
- For a single-founder operation, the controls a SOC 2 auditor would test for — encryption, audit logging, access scoping, incident response, change management — are already in place and documented on this page.
- The marginal value of SOC 2 to most Operators is low; the marginal value of shipping product features is high.
Buyers who require SOC 2 should reach us at security@rowrouter.com. If the deal warrants the investment we will commit to a Type 1 audit timeline in the contract; otherwise we will be honest that RowRouter may not be the right vendor today.
11. Vulnerability disclosure
Report security vulnerabilities to security@rowrouter.com. We acknowledge reports within 24 hours and will work in good faith with researchers who follow responsible disclosure. We do not currently run a paid bug-bounty program. Please:
- Avoid testing against other Operators’ data; use your own account or contact us for an isolated test environment.
- Avoid automated scans that could degrade availability.
- Give us reasonable time to remediate before public disclosure.
12. Documentation available on request
The following documents are available on request from security@rowrouter.com for customers under an existing or prospective subscription:
- Counter-signed DPA on the customer’s paper or our standard form;
- CAIQ Lite and SIG Lite security-questionnaire responses;
- Architecture overview describing data flow between RowRouter, the Operator’s connected data sources, and recipients;
- Penetration-test summary if and when one has been conducted (none on file as of the date above);
- Subprocessor-change notification list (subscribe via email).
13. Contact
Security: security@rowrouter.com
Privacy & data-subject requests: privacy@rowrouter.com
General support: support@rowrouter.com