Security

Last updated July 11, 2026

Our approach

PestMetrics exists because operators trust us with their numbers: revenue, payroll hours, customer balances, and the API keys to the systems that hold them. Protecting that data is not a compliance checkbox for us, it is the product.

We align our controls with the SOC 2 trust principles. A formal SOC 2 Type 2 audit is on our roadmap and will be pursued when a customer requires it; this page describes what we actually do today.

Encryption

All traffic is encrypted in transit with TLS, between your browser and us and between us and every system we connect to.

Your integration credentials (FieldRoutes, Everee, Google) are encrypted at rest with AES-256-GCM. Each ciphertext is cryptographically bound to your company and integration, so an encrypted credential can never be replayed against another account. The encryption key is held outside the database, so a database compromise alone cannot expose credentials.

Passwords are stored only as salted bcrypt hashes, never in plain text, and never appear in logs.

Tenant isolation

PestMetrics is multi-tenant with hard isolation: every database query is scoped to your company. One customer’s data is never visible to, or computed alongside, another’s. Each company syncs with its own API credentials and its own rate budget.

Access control

Inside your account, access is role-based (Admin, Manager, Viewer), with optional per-user restrictions down to specific branches and specific pages.

  • Sessions are signed tokens that expire after 7 days and can be revoked immediately: logging out revokes the session, and a password change or account deactivation invalidates every outstanding session on every device.
  • New accounts verify their email before they can sign in. Invited users receive a temporary password and must choose their own on first login.
  • Passwords require 12+ characters with mixed case, a number, and a symbol.
  • Sign-in, password reset, and verification endpoints are rate-limited to block credential stuffing and token guessing.

Administrative actions are recorded in an audit trail.

Your API keys

The FieldRoutes and Everee keys you paste are used for exactly one thing: calling those systems on your behalf. They are never logged, never displayed back after saving, and never leave our servers except in requests to the system they belong to. Connection tests run server-side.

Where you use write-back features, writes are narrow, individually audit-logged, and only happen on a human’s explicit confirmation. AI features suggest; deterministic code writes; you confirm.

Monitoring and reliability

The platform monitors itself and tells us when something is wrong: sync failures, data drift, and process crashes alert the operator within minutes. Every sync run is logged and inspectable.

Nightly self-tests reconcile our stored numbers against your source system and flag any drift. Loud when wrong, silent when right: if our numbers stop matching your system of record, we want you and us to know before you notice.

Backups and your data

The production database is managed PostgreSQL with automated backups. You can export your data at any time (CSV, Excel, PDF). You own your data: if you leave, we delete it on request. We never sell it, never use it for advertising, and never use one customer’s data to benefit another in identifiable form.

Incident response

If a security incident affects your data, we will notify you promptly with what happened, what data was involved, and what we did about it. Report anything suspicious to security@pest-metrics.com.

Subprocessors

We run on a small set of infrastructure providers, each with its own independent security compliance program (including SOC 2):

  • Render: application hosting and database.
  • Vercel: web interface hosting.
  • Stripe: payments. We never see or store card numbers.
  • Resend: transactional email (invites, password resets, alerts).
  • Anthropic: powers the AI analyst. Your data is not used to train AI models.
  • Google: only if you connect review ratings.

Responsible disclosure

Found a vulnerability? Email security@pest-metrics.com. We read every report, respond quickly, and will never take legal action against good-faith security research.

Security questions from your diligence team? security@pest-metrics.com