Security & privacy

Your data never leaves the vault.

WaterDuty is SOC 2 compliant and built on a zero-compromise security architecture. Utility credentials and property data are encrypted in transit and at rest, stored exclusively on our servers, never exposed to the client, and never sold to third parties.

SOC 2 compliantUS-region onlyTLS 1.3 · AES-256
How we protect you

Bank-grade security for every property.

Whether you manage 5 properties or 500, your data receives the same level of protection used by financial institutions.

Encrypted in transit

All communication between your browser and our servers is secured with TLS 1.3 encryption. No data travels unprotected — ever.

Encrypted at rest

Data lives in Google Cloud SQL for Postgres with AES-256 encryption at rest. Even in the unlikely event of a physical breach, your information stays unreadable.

Encrypted credentials

Utility credentials are encrypted with a Fernet symmetric key held in Google Cloud Secret Manager. The plaintext only exists in process memory when our scraper needs it to talk to your utility.

Secure authentication

Sign-in is powered by Google Identity Platform (Firebase Auth) with Google-managed token issuance, session refresh, and row-level security policies on every database table.

Server-side only

Sensitive data is processed and stored exclusively on our servers. Utility credentials and raw usage data never touch the browser.

Privacy first

We never sell, share, or monetize your data. Property information and usage records are used solely to power your leak alerts.

Under the hood

How your credentials are handled.

From the moment you connect a utility provider to every scheduled data fetch, your credentials follow a strict security pipeline.

  1. STEP 01

    Encrypted transmission

    When you enter your utility credentials, they are transmitted over TLS 1.3 directly to our servers. The raw credentials are never stored in your browser, local storage, cookies, or any client-side cache.

  2. STEP 02

    Encrypted at rest

    Credentials are immediately encrypted with a Fernet symmetric key — the encryption key itself lives in Google Cloud Secret Manager, not in the database. Even an attacker with full database access cannot decrypt your utility password.

  3. STEP 03

    Server-side data fetching

    Our backend services decrypt credentials in memory only when scheduled to fetch your water usage data. The plaintext is held briefly during the scrape and never written to logs or temporary files.

  4. STEP 04

    Row-level security

    Every database table enforces Postgres row-level security (RLS) policies. The application connects as a NOBYPASSRLS role, so users can only access their own properties, meters, and usage data. Cross-account data access is prevented at the database level.

Our commitments

What we promise.

We never sell your data

Your water usage data, property details, and personal information are never shared with, sold to, or accessible by third parties. Period.

Transparent incident response

In the unlikely event of a security incident, we commit to notifying affected users promptly and transparently with full disclosure of impact and remediation steps.

Data deletion on request

You can request complete deletion of your account, credentials, and all associated data at any time by contacting info@water-duty.com.

Questions about security?

We take security seriously and are happy to answer any questions about how we protect your data and your properties.