Security is a property of the architecture, not a checklist.

Customer data is encrypted at rest by the managed database provider and encrypted in transit via TLS 1.2 or higher on every public endpoint. Encryption keys are managed by the provider; no raw key material lives in application code.

Roles are separated by least privilege: the service-role credential stays server-side and is never embedded in browser bundles. Operator access to production data is gated by SSO and short-lived sessions; routine reads do not require operator credentials at all.

SOC 2 Type II audit in progress, target completion Q4 2026. movó operates as a non-PHI service from day one. A Business Associate Agreement (BAA) is available on the Team tier for customers who need to bring PHI into scope; the Team tier also enables minute-level point-in-time recovery on the database.

A standard data-processing addendum (DPA) is available on request for customers subject to GDPR or comparable regimes.

Security researchers are welcome to send findings to security@movo.fricktionless.com. We acknowledge new reports within two business days and target a fix or mitigation timeline within ten business days for high-severity findings.

In the event of a confirmed security incident affecting customer data, we share a written incident report with affected paying customers within five business days, including scope, root cause, mitigations applied, and follow-up actions. The report cadence applies regardless of contract tier.