Stepchild

Trust & Security

How we protect customer information across the Stepchild rental operations platform. This page describes our current controls and is maintained by the Stepchild team — it is not an independent certification.

Data protection

All customer and operational data is stored in a managed Postgres database with row-level security policies that restrict access to authorized staff and the account owner. Sensitive integrations (QuickBooks tokens, webhook secrets) are encrypted at rest and only decrypted inside server-side functions.

Authentication & access

Staff and client accounts authenticate through Supabase Auth. Role-based access is enforced server-side via a dedicated user_roles table and has_role() security-definer checks — client-side role hints are never trusted for authorization.

Transport & infrastructure

The application is served over HTTPS. Backend logic runs on managed serverless infrastructure with no long-lived servers to patch. Database backups are taken automatically by our hosting provider.

Privacy

We collect only the information needed to operate rentals: contact details, project metadata, payment terms, and document uploads (e.g. COI). We do not sell customer data. Customers may request export or deletion of their records by contacting their account manager.

Reporting a vulnerability

If you believe you have found a security issue, please email security@wearestepchild.com. We appreciate responsible disclosure and will respond as quickly as we can.

Questions about a specific control or contract? Reach out via the contact page.