Locate data has to be defensible. So is ours.
LocateOps is built around a tamper-evident audit trail, database-enforced tenant isolation, and outbound email locked to your own domains.
Row-Level Security on every table
Tenant isolation is enforced at the database layer with comprehensive Row-Level Security policies. Our RLS coverage has been audited across multiple hardening phases.
SECURITY DEFINER permission helpers
Permission checks are centralized in SECURITY DEFINER functions to prevent privilege escalation through user-defined queries.
Append-only audit log
Ticket history is enforced as append-only by database triggers — there is no application path to mutate or delete past events. Admin actions and permission changes are recorded separately.
Per-company outbound email security
Every company sends excavator and stakeholder notifications from its own sender. We require full SPF, DKIM, and DMARC alignment and lock sending to verified domains.
Hosted on modern infrastructure
Postgres on Supabase, edge runtime on Vercel. Encryption at rest and in transit on every layer.
7-year retention, full export
Locate records are retained for 7 years. Your data belongs to you — full export is available at any time, no vendor lock-in.
A note on certifications.
LocateOps is pre-revenue and in beta. We don't currently hold SOC 2 or ISO 27001 certifications, and we're not going to claim "compliance-ready" before we've earned it. We will share concrete details about our controls, audits, and data-handling on request.
Have a security question? Get in touch.