Skip to main content
Polktab

Trust Center

Last updated: 2026-07-08. This page reflects our actual production security and privacy controls — not marketing claims we do not implement.

Security Practices

HTTPS, revocable server-side admin sessions (8-hour expiry), TOTP two-factor authentication for admin login, signed expiring invoice access links (90 days), Redis-backed rate limiting, CSRF protection on mutations, honeypot spam protection on quote forms, and Content Security Policy with nonces in production.

Data Protection

We collect only information needed to review quote requests, deliver services, and communicate about projects. Quote submissions record separate consent for Terms, Privacy, and contact with timestamps and policy version. Client data is stored in secured PostgreSQL infrastructure and is not sold to third parties.

Client Portal Authentication

Clients authenticate with quote reference number and email. On success, a secure HttpOnly session cookie is issued. Email addresses are not passed in URLs. Sessions expire after 7 days or on logout.

Invoice Access

Invoices are not accessible by invoice number alone. Each invoice uses a cryptographically signed, expiring access link. Invalid links return 404; expired links show a secure error without exposing data.

Infrastructure

Production systems use isolated deployment, restricted database access, and least-privilege administrative controls. Session and rate-limit data may use Redis. Email delivery uses Resend when configured.

Prohibited Projects

We do not provide illegal or harmful software, phishing or malware systems, spam tools, fake document services, unauthorized data collection, financial scam systems, or similar prohibited work. See our Acceptable Use Policy.

Contact for Security Questions

Email security@polktab.online or use our contact form.