Trust Center

• Your data is yours

  You can export everything, anytime. We never sell, license, or share it with advertisers or AI training datasets.

• Each tenant is isolated

  Every database query scopes to your tenant. Cross-tenant data access is impossible at the data layer, not just at the UI.

• Built locally, hosted globally

  Engineered in Conakry by 224 TECH. Hosted on tier-1 cloud infrastructure with multi-region backups.

• Transparent by default

  We publish our sub-processor list, breach notification SLA, and uptime numbers in plain sight.

• In transit - TLS 1.3 for all browser ↔ server and server ↔ database traffic.
• At rest - AES-256 for the primary database and all backups.
• Secrets - environment variables and signing keys are managed by Vercel's encrypted secret store; never committed to source.
• TOTP secrets - encrypted with AES-256-GCM in the database; the encryption key is held outside the database.

• Every row in every tenant-scoped table carries a `tenantId`.
• All server actions resolve the current tenant from the session - never from client input.
• Database-level queries are scoped before they hit the database; there is no path where a request from tenant A can read data from tenant B.
• Photos and payment proofs sit in private object storage with cuid-based paths (effectively unguessable).

• Daily encrypted backups of the primary database, retained for 30 days.
• Point-in-time recovery available within the last 7 days.
• Backups are stored separately from the primary database, with their own access controls.
• Recovery drills are run quarterly.

• Production access is limited to a small set of 224 TECH engineers, each with their own credentials.
• All production access is logged.
• Sessions for tenant users are server-validated and can be revoked instantly by admins.
• Multi-factor authentication available on all paid plans; required for ADMIN role on Enterprise.

If we discover unauthorized access to your data, we will notify the admins of every affected tenant within 72 hours of confirmation. Notification includes what happened, what data was affected, what we've done about it, and what you should do.

We use the smallest possible set of vendors. Every one is bound by a data-processing agreement.

You can request deletion at any time. Active tenant data is purged within 30 days of cancellation (backups expire on the same 30-day rolling window). Statutory records (payslips, audit logs) are retained in a separate archive for the period required by Guinean law.

Service-level objectives are stated in your paid-plan subscription. Status and incident history are published when our public status page goes live (Q3 2026).

Found a security issue? Email security@224tech.com. We acknowledge within 1 business day, triage within 5, and resolve critical issues within 30. We don't take legal action against good-faith researchers. Our full disclosure policy lives in the repository at SECURITY.md.

Security or compliance question? Write to privacy@224tech.com. We answer every message.