Security
How we protect your business data
Infrastructure
- Production infrastructure is hosted on OVH Cloud in Beauharnois, Canada.
- Public pages, app traffic, and session cookies are served over HTTPS.
- Operational access is limited to authorized maintainers.
Transport and storage
- Browser traffic uses HTTPS/TLS.
- Passwords stored using industry-standard hashing (bcrypt)
- Uploaded files and generated documents use the configured Rails storage layer; customer-facing exports are available in standard formats.
Credential custody
- Isafi does not publicly claim production-ready multi-tenant custody for Brazilian A1 certificates.
- Certificate-based fiscal automations remain roadmap until credential storage discovery is complete.
- Never email certificates or passwords to support.
Backup and recovery
- Database snapshots are taken periodically for operational recovery, stored in a volume separate from the production database.
- No public RPO/RTO commitment, nor geographic replication, is promised on this page.
- Customers should export and retain their own statutory records when required.
Access Controls
- Secure authentication via industry-standard libraries (Devise)
- Role-based access control (owner, admin, member, accountant)
- Session management through secure cookies and authentication controls
- Multi-tenant data isolation ensures clients cannot access each other's data
Audit & Transparency
- Accountant actions logged with timestamps
- Relevant accountant actions are recorded for audit
- Operational history is available for support and internal review
LGPD and data subject process
- LGPD requests can be sent to privacy@isafi.com.br.
- Security concerns can be sent to security@isafi.com.br.
- Requests are reviewed case by case, including access, correction, export, and deletion where legally applicable.
Your Data
- You own your data
- Export available in standard formats (CSV, PDF)
- Account deletion available upon request
Frequently Asked Questions
Where is my data stored?
Production infrastructure is hosted on OVH Cloud in Beauharnois, Canada. We avoid broader claims beyond the provider and region we operate on.
Is my data encrypted?
Traffic between your browser and Isafi uses HTTPS/TLS. Passwords are stored with bcrypt hashing. We do not use this page to claim every data class has the same at-rest treatment.
How are backups handled?
Database snapshots are taken periodically and stored in a volume separate from the production database. We do not promise geographic replication or a public RPO/RTO on this page. Customers who need formal guarantees should export and retain their own copies.
Who can access my data?
Access to your data is controlled through role-based permissions (owner, admin, member, accountant). You control who has access to your organization. Only authorized personnel with a legitimate business need can access customer data for support purposes.
Are accountant actions logged?
Yes. When an accountant performs relevant actions, those events are logged with timestamps for audit and support.
How do you protect my account?
We use secure password hashing (bcrypt), secure cookies, Devise authentication controls, and role-based access controls. Accountant access is auditable. We continuously evaluate additional security features.
How long is my data retained?
Your data is retained for as long as your account is active. If you close your account, you can request deletion of your data. Some data may be retained as required by law or for legitimate business purposes.
What happens if there's a security incident?
We have incident response procedures in place. In the event of a security incident affecting your data, we will notify you as required by applicable law and provide information about the incident and steps being taken.
Can I export my data?
Yes. You can export your data in standard formats (CSV, PDF) at any time. You own your data and can take it with you if you decide to leave.
Do you support two-factor authentication (2FA)?
Two-factor authentication via authenticator apps is on our roadmap and will be announced when available.
Do you custody A1 certificates?
We do not publicly claim production-ready multi-tenant fiscal certificate storage today. Certificate storage and official fiscal automations remain gated by a separate discovery.
Does Isafi help with security compliance?
Isafi provides HTTPS/TLS in transit, password hashing, role-based access controls, audit logs for accountant actions, and data export and deletion workflows. Your organization remains responsible for evaluating its own legal and professional obligations.
How do I report a security concern?
If you discover a potential security issue, please report it to security@isafi.com.br. We take all reports seriously and will investigate promptly.
Questions?
If you have additional questions about our security practices, please contact us:
Email: security@isafi.com.br
General Support: isafi.com.br/contact
See also: Privacy Policy | Terms of Service | Coverage | Pricing