Security at Extrua

• All traffic is encrypted in transit with HTTPS/TLS.
• Databases and file storage are encrypted at rest by our infrastructure providers.
• Integration credentials (OAuth tokens for Google, Meta, TikTok, accounting platforms and telephony) get an extra layer: application-level AES-256-GCM encryption, decrypted only server-side at the moment of use. They never reach a browser.

Every customer workspace is isolated with database row-level security: isolation is enforced by the database on every query, not just by application code. One business can never read another's records, and each workspace's files live under storage paths scoped to that workspace.

• Within a workspace, role-based access separates owners, admins and staff; staff see only what their role needs.
• Internal operational access is limited to the founder/developer and used for support and operations only.
• Payment card details are handled entirely by Stripe — they never touch our servers.

• Automated database backups on a rolling schedule.
• Independent off-site backups of database and file storage, so a failure of the primary provider doesn't mean data loss.
• Tested restore procedures and per-customer data export.

Extrua runs on established cloud providers — Vercel for the application layer and Supabase (PostgreSQL) for data — with webhook signature verification on every inbound integration (Stripe, Xero, telephony, email events) and secrets held in managed environment configuration, never in code.

We maintain an internal incident-response plan: contain (revoke and rotate affected credentials), assess scope (which workspaces and what data), remediate, and notify. If a breach affects your data we'll tell you without undue delay, with what we know and what we're doing about it, and we comply with the Australian Notifiable Data Breaches scheme where it applies.

Found a vulnerability? Please report it to hello@extrua.com.au with enough detail to reproduce it. We'll acknowledge promptly, keep you updated, and won't take action against good-faith research that avoids accessing other customers' data or disrupting the service.