Security & Legal

Security information, terms, privacy, compliance.

Written By Victor Raessen

Last updated 16 days ago

Salesbuildr takes the security of your data seriously. This page describes our security practices, compliance posture, privacy policies, and legal documentation.

Compliance posture

Salesbuildr maintains an Information Security Management System (ISMS) aligned with ISO 27001:2022 and SOC 2 Type II Trust Services Criteria (Security, Availability, Confidentiality). We are actively working toward formal certification on both frameworks.

Our ISMS covers all information assets, systems, processes, and people involved in the delivery of the Salesbuildr platform, including:

The Salesbuildr SaaS application and all supporting infrastructure
Customer data processed and stored across integrations
Internal business systems and tooling
All employees, contractors, and third parties with access to company systems

We also comply with the GDPR for the processing and protection of personal data of EU-based customers and their contacts.

Authentication

Salesbuildr supports three authentication methods, configurable per tenant (see Platform & Pricing for admin settings):

MethodDescription
Email and password	Standard email/password login with email verification
Google	OAuth-based sign-in with Google accounts
Microsoft	OAuth-based sign-in with Microsoft accounts

Admins can enable or disable each method at Admin > Platform > Authentication. At least one method must remain active.

Session management

Sessions automatically expire after a configurable timeout. Admins can set the timeout at Admin > Platform > Authentication:

15 minutes, 30 minutes, 1 hour, 2 hours (default), 1 day, 1 week, 2 weeks

Domain restrictions

The MSP domains setting lets admins specify which email domains require an invitation to log in. Users with matching email domains cannot self-register — they must be explicitly invited by an admin.

Email verification

Users signing in via Google or Microsoft are automatically email-verified through the OAuth provider. Password-based users must verify their email before gaining full access.

Access control

Salesbuildr uses role-based access control (RBAC) to protect resources:

Admin role bypasses all permission checks
Base user role provides standard access
Viewer license for read-only access (not billed)
Custom roles with granular permissions can be created on Advanced and Premium plans. See Users & Permissions for full details

Nine permissions control access to specific resources: quote management, product viewing and management, product imports, pricing books, company management, whitespace, and procurement.

Internally, Salesbuildr follows the principle of least privilege. Employee access is provisioned based on job responsibilities, and privileged access to production systems is restricted to authorised personnel.

Security headers

Salesbuildr enforces strict HTTP security headers on all responses:

HeaderValue
Strict-Transport-Security	`max-age=15552000` (180 days)
X-Frame-Options	`DENY`
X-Content-Type-Options	`nosniff`
Referrer-Policy	`strict-origin-when-cross-origin`
Content-Security-Policy	Nonce-based script policy with strict-dynamic

The Content Security Policy uses a fresh cryptographic nonce per request to allow only authorized scripts. CSP violation reports are monitored by the security team.

Data protection

Encryption

In transit — all data is encrypted using TLS 1.2 or higher (HTTPS). HSTS headers enforce secure connections
At rest — data is encrypted at rest using AES-256 through provider-managed encryption on all storage services

Infrastructure

Salesbuildr runs on enterprise-grade cloud infrastructure with Firebase (Google Cloud Platform) for data storage and authentication, and Microsoft Azure for application hosting. The platform operates across three geographic regions (EU, AU, US), each with independent data storage for data residency compliance.

Production, staging, and development environments are logically separated. Network access is governed by firewall rules, and no unnecessary ports or services are exposed.

Rate limiting

API requests are rate-limited to protect platform stability:

Public API — 500 requests per 10-minute rolling window per tenant
Frontend — IP-based and tenant-based rate limiting to prevent abuse
Rate limit stores are backed by Redis for consistent enforcement across application instances

Input validation

All API requests are validated using strict input rules:

Unknown fields are stripped from requests
Non-whitelisted fields are rejected
Request body size is limited to 10 MB

Secure development lifecycle

Salesbuildr follows industry-standard secure development practices aligned with OWASP guidelines:

Code review — all changes require a pull request with at least one independent reviewer. No direct commits to production branches
Automated security scanning — security scans run on every pull request, covering source code, dependencies, and container images. Critical and high-severity findings block merges
Segregation of duties — the code author cannot approve their own changes. Deployments require separate authorisation
No direct production access — developers do not have direct access to production databases or servers
Emergency change procedures — hotfixes follow a documented emergency process with mandatory post-incident review

Vulnerability management

Vulnerabilities are identified through automated scanning of code, dependencies, and infrastructure. Each finding is triaged by severity and assigned a remediation SLA:

Severity	Remediation target
Critical	7 days
High	30 days
Medium	90 days
Low	Monitored and addressed as appropriate

Findings are tracked to resolution and reviewed as part of our regular compliance cycle.

Incident response

Salesbuildr maintains a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident review. Key commitments:

Detection and triage — infrastructure and application events are monitored. Anomalies trigger automated alerts for investigation
Customer notification — in the event of a confirmed data breach affecting customer data, we notify affected customers without undue delay, in compliance with GDPR Article 33 requirements
Post-incident review — every significant incident is followed by a root cause analysis and corrective action plan
Service status — planned maintenance and incident updates are published on our Service Status page

Business continuity and disaster recovery

Salesbuildr maintains a business continuity and disaster recovery (BCP/DR) plan to ensure service availability:

Automated backups — all customer data is backed up automatically. Backup integrity is verified regularly
Restore testing — backup restore procedures are tested periodically to validate recovery capability
Geographic redundancy — infrastructure spans multiple regions with independent data storage, reducing the impact of regional outages
DR exercises — disaster recovery scenarios are exercised annually with documented results and lessons learned

Admins can also generate on-demand backups at Admin > Tools > Maintenance > Generate Backup, available as a downloadable ZIP file.

Monitoring and logging

Salesbuildr monitors infrastructure and application health continuously:

Infrastructure monitoring — resource utilisation, availability, and performance metrics are tracked with automated alerting for anomalies and failures
Application logging — errors and security-relevant events are logged centrally for investigation and audit purposes
Capacity planning — resource utilisation is monitored to prevent service degradation, with scaling plans in place

Employee security

Salesbuildr implements security controls across the full employee lifecycle:

Background checks — all new hires complete background verification before or during onboarding
Confidentiality agreements — NDA and IP assignment agreements are signed before system access is granted
Security awareness training — all employees complete security awareness training (including GDPR and secure coding modules) within their first two weeks and on an ongoing basis
Device management — all devices accessing company systems are enrolled in endpoint monitoring
Secure offboarding — access is revoked within 24 hours of departure. Devices are collected or wiped, and data is handled per our retention policy

Sub-processors

Salesbuildr uses the following sub-processors to deliver the Service. Each sub-processor is assessed for security and privacy compliance, and a Data Processing Agreement (DPA) is in place for each.

Processor	Data processed	Purpose
Google Firebase	Full name, email address of external (customer) and internal (employee) contacts	Authentication, database, storage
Elasticsearch	Full name, email address of external and internal contacts	Search capabilities
Datadog	Full name, email address of external and internal contacts	Error logging and monitoring
Intercom	Full name, email address of internal (employee) contacts	Support capabilities

Salesbuildr reviews critical third-party vendors at least annually as part of its vendor management programme. Vendor contracts include breach notification clauses and, for critical vendors, right-to-audit provisions.

Hosting infrastructure

Salesbuildr's infrastructure is hosted in ISO 27001, SOC 1 & SOC 2, PCI Level 1, FISMA Moderate, and SOX certified data centres:

Google Firebase — Region: Netherlands and Germany (authentication, database, storage)
Microsoft Azure — Region: West Europe / Amsterdam, Netherlands (App Service and SSL certificates)
Elasticsearch — Region: Germany (search service)

Certification details:

Google Firebase: firebase.google.com/support/privacy
Microsoft Azure: learn.microsoft.com/en-GB/azure/compliance
Elastic: elastic.co/security-and-compliance
Datadog: datadoghq.com/security

Cookie consent

Salesbuildr uses Cookiebot for cookie consent management. The consent banner appears for new visitors and allows granular control over cookie categories.

PSA data flows

After enabling the integration with your PSA, Salesbuildr performs an initial synchronisation to pull in your users, companies, contacts, products, services, and labour. Opportunities you create are synchronised so you can create linked quotes.

Salesbuildr Entity	Action	PSA Entity
Users	Read from PSA	Users
Companies	Read, create, update	Companies
Contacts	Read, create, update	Contacts
Products	Read, create, update	Products
Services	Read, create, update	Services
Labour	Read from PSA	Labour
Opportunities	Read, create, update	Opportunities
Quotes	Create only	Quotes

Legal documentation

Terms of service

Your use of Salesbuildr is governed by our Terms of Service. The Terms of Service URL is configurable per tenant and displayed in the application footer.

Privacy policy

Our Privacy Policy describes how we collect, use, and protect personal data. The Privacy Policy URL is configurable per tenant and displayed in the application footer.

Terms and conditions for quotes

Salesbuildr includes a dedicated Terms & Conditions feature for quote proposals. Admins can configure T&C content at the platform level, and recipients must accept them before completing a quote approval. Consent is tracked per company with timestamps and user attribution.

Two consent modes are available:

Explicit — recipients must actively accept the terms
Implicit — terms are shown but acceptance is assumed

Data Processing Agreement

A Data Processing Agreement (DPA) clause under GDPR is included in our general terms and conditions.

Security contact

For security-related inquiries or to report a vulnerability, contact support@salesbuildr.com. Salesbuildr publishes a security.txt file at /.well-known/security.txt per industry standard.

GDPR compliance

Salesbuildr is committed to GDPR compliance for EU customers:

Data residency — EU customer data is stored in the EU region by default. AU and US regions are available for customers in those geographies
Data export — admins can generate full account backups for data portability
Data deletion — contact support to request account data deletion
Data subject requests — DSARs (access, rectification, erasure) can be submitted via support and are processed in accordance with GDPR timelines