Trust

Security at chckd

Your inspection data matters. Here's how we keep it safe.

We take security seriously — not because we have to, but because our users trust us with data that proves their teams did their jobs right. A compromised report could mean a failed audit, a liability claim, or a client lost.

Encryption

  • In transit: All traffic between your device and our servers is encrypted with TLS 1.2+ (HTTPS). No exceptions — every API call, every page load, every file upload.
  • At rest: All data is encrypted with AES-256 on our storage infrastructure. This includes database records, file uploads, and backups.
  • Photos and files: Stored on isolated, encrypted storage buckets with no public access. Each file has a unique, non-guessable URL.

Access controls

  • Authentication: Password-based login with bcrypt hashing (cost factor 12). Session tokens are cryptographically random and expire after inactivity.
  • Authorization: Role-based access control (RBAC) ensures users only see data their role permits. Admin, manager, and inspector roles each have distinct permission levels.
  • Company isolation: Data is strictly scoped by company at the database level. One company's data is never accessible to another — enforced in every query.
  • Multi-factor authentication: Available for all accounts. Strongly recommended for admin users.
  • API keys: Scoped, rotatable, and logged. Revocable instantly from the dashboard.

Infrastructure

  • Hosted on cloud infrastructure with SOC 2 Type II compliance.
  • Automated security patches applied within 24 hours for critical vulnerabilities.
  • Dependency scanning in CI/CD pipeline — no known vulnerable dependencies in production.
  • Automated daily backups with point-in-time recovery (30-day retention).
  • Network monitoring and intrusion detection systems.
  • Separate environments for production, staging, and development.

Application security

  • Input validation: All user input is sanitized and validated server-side. Never trust the client.
  • CSRF protection: Cross-site request forgery tokens on every form and state-changing request.
  • XSS prevention: Output encoding on all rendered content. Content Security Policy headers restrict script execution.
  • SQL injection: Parameterized queries via Laravel's query builder and Eloquent ORM. No raw SQL with user input.
  • File upload security: Strict MIME type validation, file size limits, virus scanning, and isolated storage. Uploaded files are never served directly from the application server.
  • Rate limiting: API endpoints and authentication routes are rate-limited to prevent brute force and abuse.

Incident response

If we discover a security vulnerability or data breach:

  • We investigate within 24 hours of discovery.
  • Affected users are notified within 72 hours, or sooner if there's an immediate risk.
  • We publish a post-incident summary describing what happened, what was affected, and what we fixed.
  • We cooperate with relevant authorities as required by applicable law.

Data handling and retention

  • Submissions, photos, and files are retained while your account is active.
  • Account deletion permanently removes all data within 30 days.
  • Backups are purged within 90 days of deletion.
  • We do not share data with third parties except those essential to service operation (Paystack for payments, email providers for delivery).
  • Automated data retention policies prevent indefinite storage of stale data.

Vulnerability reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability, please report it to security@codesmithsystems.com.

  • Please provide a detailed description of the vulnerability.
  • Include steps to reproduce the issue.
  • Allow us reasonable time to address the issue before public disclosure.
  • We will acknowledge your report within 48 hours and provide a timeline for resolution.

Compliance

chckd is designed to help you meet compliance requirements (ISO, OSHA, local regulations), but we do not certify compliance on your behalf. You are responsible for ensuring your use of chckd meets applicable regulatory standards in your jurisdiction.

We maintain documentation and audit trails that can support your compliance efforts, including submission timestamps, user attribution, and change logs.

Questions?

For security inquiries: security@codesmithsystems.com

For general trust and compliance: info@codesmithsystems.com