Security

Production browser, API, webhook, and background traffic is served over HTTPS with modern TLS termination through managed hosting infrastructure.

Managed database and object-storage providers encrypt persisted data at rest. Connected document providers may also store customer-selected files under the company's own provider account.

Company users use server-side sessions and httpOnly cookies. Passwords are hashed with a memory-hard KDF. Worker access uses scoped phone/SMS login for assigned field work.

Owner, Admin, Sales, and Worker roles are separated. Workers are scoped to assigned jobs and do not see pricing, payment history, broad CRM history, or unrelated jobs by default.

Core Barker records are company-scoped. Sensitive actions such as user changes, payments, exports, permission updates, and customer-link events are designed to write audit evidence.

Customer-facing estimate, document, and payment access uses purpose-specific signed links instead of reusable customer portal accounts in the first version.

Confirmed incidents are assessed for scope, containment, customer notice, and legal obligations. Production readiness includes final provider, key-rotation, and live-smoke checks.

Barker launch work is tracked through auditable implementation slices with targeted tests, route scans, and product/security review before production use.