Skip to main content
Rostersmith

Trust & Security

Rostersmith is built with security-first principles. Your data is protected by enterprise-grade infrastructure, strict access controls and complete transparency.

Data Protection

  • Complete data isolation between organisations. Each tenant operates in its own secured environment.
  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Database hosted on Neon PostgreSQL in EU data centres (Frankfurt)
  • Automated daily backups with point-in-time recovery
  • Your data is never shared with other tenants or third parties

Authentication & Access Control

  • Enterprise-grade authentication powered by Clerk
  • Multi-factor authentication (MFA) available for all users
  • Single sign-on (SSO) via Google and Apple
  • Role-based access control: Admin, Manager and Practitioner
  • Each role sees only what they need. Practitioners cannot access admin functions.
  • Session management with automatic timeout

Audit & Accountability

  • Every action is logged: who changed what, when, old value, new value and reason
  • Per-roster and global audit views with search and filtering
  • CSV export of audit trails for compliance reporting
  • Roster version history: every re-solve creates a new version, nothing is overwritten
  • Pre-publish validation ensures constraint compliance before staff see the roster

POPIA Compliance

  • Rostersmith is designed to align with the Protection of Personal Information Act (POPIA)
  • We collect only the minimum data necessary to provide the scheduling service
  • Personal information is processed lawfully and for the specific purpose of roster generation
  • Data subjects have the right to access, correct and request deletion of their information
  • Our privacy policy details all data processing activities
Read our Privacy Policy

Infrastructure

  • Application hosted on Vercel (global edge network, automatic failover)
  • Database on Neon PostgreSQL (EU Frankfurt region)
  • Authentication via Clerk (SOC 2 Type II certified)
  • Constraint solver on Railway (isolated compute, no data persistence)
  • All services connected via encrypted channels
  • 99.9% uptime target

Responsible Disclosure

If you discover a security vulnerability, please contact us at rostersmith@twistedtoast.com.

We take all reports seriously and will respond within 48 hours.

Have security questions? We're happy to discuss your specific requirements.

Contact Us