Security — SuperAuditor

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). This includes billing data uploads, API calls, OAuth token exchanges, and every dashboard interaction.

Encryption at Rest

Your data is stored on infrastructure that uses AES-256 encryption at the storage layer. This means your billing records, call logs, and audit results are encrypted on disk -- even if someone gained physical access to the servers, the data would be unreadable.

Tenant Isolation & Row-Level Security

Every database table enforces Row-Level Security (RLS) policies. Users can only access data belonging to their own company -- this is enforced at the database level, not just in the application code. Cross-tenant data access is architecturally impossible.

OAuth Token Isolation

Your GoHighLevel OAuth credentials (access tokens and refresh tokens) are stored in a restricted table that is invisible to client-side queries. Only server-side functions with elevated privileges can access these tokens -- they never touch your browser.

Authentication & Access Control

Every API request is authenticated using JWT tokens. Edge functions verify caller identity and company ownership before processing any request. Expired or inactive accounts are blocked at the database level -- not just the UI.

Plan-Based Access Gating

When a trial expires, data access is restricted server-side through RLS policies. Even if someone bypassed the frontend, the database itself would reject their queries. This ensures billing data is never exposed to unauthorized users.

A note on zero-knowledge encryption

SuperAuditor is not a zero-knowledge system. To calculate cost breakdowns, detect double-billing, run reconciliation, and generate smart alerts, our servers need to read and process your billing data. Zero-knowledge encryption would make all of these features impossible. Instead, we protect your data with encryption in transit and at rest, strict tenant isolation, and database-level access controls -- the same approach used by leading fintech and SaaS platforms.

Data practices

•We never sell your data to third parties.
•We don't store your GHL password -- we use OAuth for authentication.
•You can delete your account and all associated data at any time from Settings.
•Plan-based data retention automatically purges old records per your plan tier.
•The Chrome extension runs locally in your browser -- billing data is only sent to SuperAuditor if you choose to push it via API.

Security & Privacy