Trust Center
Last updated: 2026-07-08. This page reflects our actual production security and privacy controls — not marketing claims we do not implement.
Security Practices
HTTPS, revocable server-side admin sessions (8-hour expiry), TOTP two-factor authentication for admin login, signed expiring invoice access links (90 days), Redis-backed rate limiting, CSRF protection on mutations, honeypot spam protection on quote forms, and Content Security Policy with nonces in production.
Data Protection
We collect only information needed to review quote requests, deliver services, and communicate about projects. Quote submissions record separate consent for Terms, Privacy, and contact with timestamps and policy version. Client data is stored in secured PostgreSQL infrastructure and is not sold to third parties.
Client Portal Authentication
Clients authenticate with quote reference number and email. On success, a secure HttpOnly session cookie is issued. Email addresses are not passed in URLs. Sessions expire after 7 days or on logout.
Invoice Access
Invoices are not accessible by invoice number alone. Each invoice uses a cryptographically signed, expiring access link. Invalid links return 404; expired links show a secure error without exposing data.
Infrastructure
Production systems use isolated deployment, restricted database access, and least-privilege administrative controls. Session and rate-limit data may use Redis. Email delivery uses Resend when configured.
Prohibited Projects
We do not provide illegal or harmful software, phishing or malware systems, spam tools, fake document services, unauthorized data collection, financial scam systems, or similar prohibited work. See our Acceptable Use Policy.
Contact for Security Questions
Email security@polktab.online or use our contact form.