Security overview
Your staff records are sensitive. Here is, plainly, how CenterReady protects them.
Private document storage
Uploaded documents are stored in private buckets. They are served only through short-lived signed links created after a server-side permission check. There are no public files.
Tenant isolation
Every record belongs to your organization and is protected by database row-level security in addition to application checks. One center can never read another center's data.
Role-based access
Owners, directors, assistant directors, employees, and read-only reviewers each see exactly what their role allows. Employees see only their own records and can never approve their own uploads.
Careful token handling
Invitation links, secure upload links, and shared report links use random single-purpose tokens that expire and can be revoked. We store only hashes of these tokens.
Data minimization
CenterReady never collects Social Security numbers, complete criminal-history records, or any child or family records. Background screening is tracked as a status and dates only.
Audit trail
Sensitive actions — uploads, reviews, permission changes, report generation, exports — are recorded in an append-only audit log your administrators can review.
Infrastructure
CenterReady runs on Vercel and Supabase (PostgreSQL) with TLS encryption in transit and encryption at rest provided by our infrastructure providers. Payments are processed by Paddle; CenterReady never sees or stores full card numbers.
Honest boundaries
We do not claim certifications we do not hold. CenterReady is not SOC 2 certified at this time and is not approved or endorsed by any government agency. If a security question matters to your decision, ask us at security@centerready.app and we will answer directly.
Reporting a vulnerability
If you believe you have found a security issue, email security@centerready.app. We respond to good-faith reports and will not pursue researchers acting responsibly.