Security & data handling
Restoration is a vertical where one bad actor poisons the well for everyone. FireSignal is engineered to make the worst-case use of the product structurally impossible — not just AUP-prohibited.
The properties table is schema-locked against owner names, owner mailing addresses, and phone numbers. The TCAD bulk parser drops those fields at parse stage; they never reach the database. A CI test (tests/test_no_owner_pii.sql) blocks any deploy that tries to add one back.
Every customer-scoped table — subscribers, alerts, territories, webhook deliveries — has Postgres Row Level Security policies that reduce the trust boundary to the database engine itself. A bug in the application layer cannot leak another tenant's data.
Every opt-in is written to an append-only ledger with the exact consent text version, IP, user agent, timestamp, and the phone number consenting. We can produce the exact record any regulator or carrier might ask for, including the consent text shown at the time.
The 15-minute synthetic monitoring probe is kept out of real customer territories by four independent guards: origin flag on the incident row, geofenced bbox the territory tool refuses to overlap, phone allowlist on the Twilio wrapper, and a routing assertion that quarantines any cross-leak.
All data is encrypted at rest in Supabase (AES-256) and in transit (TLS 1.2+). Static assets are served over HTTPS with HSTS. Database credentials are scoped per environment; no shared service-role keys.
Outbound webhooks are signed with HMAC-SHA256 over the request body. Signatures are tied to a rotatable per-destination secret you control. We retry with exponential backoff and surface every delivery attempt in the dashboard.
If something goes wrong
Breach notification (Tex. Bus. & Com. Code Ch. 521)
A written runbook governs the discovery → triage → notification workflow within the 60-day clock Texas law requires. Affected individuals get a Ch. 521-conforming notice; if 250+ Texans are affected, the AG is notified inside the same window. Hiscox/Vouch coordination is built into the runbook.
Subpoena and law-enforcement requests
Subpoenas and warrants get an independent callback verification before any production. Subscribers are notified unless the request includes a valid gag order. Data is produced minimally — only what's specified in scope — with metadata preserved and a chain-of-custody manifest with hashes.
Complaint handling
Intake at /complaint with 24-hour acknowledgement. Investigations follow a warning → suspension → termination workflow with a 7-day appeal window. Press inquiries get a dedicated template that protects subscriber privacy.
Found a vulnerability? Email security@getfiresignal.com. We don't run a paid bounty yet, but we acknowledge every report within 48 hours and we credit researchers (with your permission) in the resolution post on the status page.
Please don't test against the live system without coordination — we'll happily spin up a staging environment for you. No legal action will be taken against good-faith research conducted within the disclosure policy.
Read the runbooks, the spec, and the open-source CI policy on GitHub — or just start the trial.