Security

At TurnShift, we take the security of your data seriously. This page provides an overview of how we protect your information.

Infrastructure

• Hosted on Vercel and AWS, both SOC 2 Type II certified
• All data encrypted at rest and in transit (TLS)
• Database hosted on AWS RDS PostgreSQL with encryption

Authentication

• Login via Slack OAuth 2.0 — no passwords stored
• Encrypted session cookies (AES-256)
• Organization-scoped data isolation

Slack integration

• Bot permissions limited to what's needed: channel read/write and user profiles
• No message content is read or stored
• Webhook signature verification on all incoming requests

Data we store

• Workspace metadata (team ID, name)
• User profiles (Slack user ID, display name, email, timezone, avatar)
• Shift schedules and bookings

Payments

All payment processing is handled by Stripe (PCI DSS Level 1). We never store card numbers or sensitive payment data.

Privacy

• Data stored in the United States (Vercel + AWS)
• GDPR-compliant — see our Privacy Policy
• Data deletion available on request via support@turnshift.app
• Analytics via Fathom (privacy-focused, no third-party trackers)

Questions?

If you have any security-related questions, please contact us at support@turnshift.app.