Security overview
Security practices for Uniiq Operations
On this page
Overview
Uniiq Operations is built for multi-tenant operations: authenticated access, organisation and site context on API requests, and role-based permissions.
No system is perfectly secure — please report concerns promptly via Contact.
Platform controls
Encryption in transit
Web and API traffic uses TLS when the service is served over HTTPS (standard in production).
- HTTPS in production for web and API endpoints
Encryption at rest
Database and object storage rely on our infrastructure providers’ encryption; we do not operate a separate customer-managed keys (BYOK) model in the pilot product.
Access control
Role-based access control (RBAC) with permissions checked on the server for operational modules (people, projects, roster, dispatch, billing, and related areas), combined with site scope where your membership defines it.
Tenant and site context
Authenticated API handlers resolve your active organisation and permitted sites before reading or writing tenant data.
- Direct database access from browsers is blocked
- Application APIs use a controlled server path
Authentication
Session-based sign-in (Supabase Auth) with secure cookie settings in production deployments.
Audit logging (partial)
Selected administrative and billing-sensitive actions (for example account authority and platform billing administration) are recorded in audit tables where that logging is implemented.
- A full customer-visible audit trail for every change is not offered in the current product
Your responsibilities
- Use strong, unique passwords and limit operational access to people who need it.
- Remove or deactivate access for departed staff promptly.
- Do not share credentials or secrets in support messages or chat.
- Review AI-assisted and operational outputs before relying on them in the field or with customers.
- Keep your organisation’s role assignments and site scope accurate as your workforce changes.
Incident response
If you suspect unauthorised access or a data incident affecting your organisation, contact us as soon as practical via Contact.
Include relevant timestamps, affected users, and what you observed. We will investigate and coordinate remediation with you as appropriate.
This is an operational commitment, not an SLA-backed security service unless separately agreed in writing.
Related documents
For enterprise data-processing terms, contact us via Contact.