Your data. Protected.
SkilledOS, Inc., a wholly-owned subsidiary of Connective Technologies, Inc., is built for field service businesses that handle sensitive customer and operational data every day. Trust isn’t optional — it’s foundational to everything we build.
Last reviewed: March 14, 2026
How We Protect Your Data
Security is built into every layer of our platform — from the code we write to the infrastructure we run on.
Encryption
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption across our database and storage infrastructure.
Access Controls
Role-based access control (RBAC) limits data access to only those who need it. Multi-factor authentication is available for all accounts.
Infrastructure
Hosted on Supabase (PostgreSQL), deployed on SOC 2-certified cloud infrastructure with automated backups and geographic redundancy.
Monitoring
Continuous security monitoring, anomaly detection, and vulnerability scanning run 24/7 to identify and respond to threats in real time.
Internal Access
SkilledOS employees undergo background checks and receive security training. Access to production customer data is strictly controlled and logged.
Incident Response
We maintain a formal incident response plan. In the event of a data breach, we will notify affected customers within 72 hours as required by law.
Compliance & Certifications
We work continuously to meet the regulatory and compliance requirements that matter most to our customers and their clients.
CCPA / CPRA Compliant
ActiveCalifornia Consumer Privacy Act compliance for all California residents.
GDPR Ready
ActiveData Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) available upon request for EU/UK customers.
SOC 2 Type II (In Progress)
In ProgressAudit engagement initiated Q1 2026. Expected completion: Q3 2026. Our infrastructure providers are SOC 2 certified.
PCI DSS
ActivePayment card data is handled exclusively by Stripe, a PCI DSS Level 1 certified provider. SkilledOS never stores raw card data.
Our Data Practices
Data Ownership
Your data is yours. SkilledOS does not claim ownership of any Customer Data you create, upload, or generate in the platform. You retain full ownership at all times, and you can export your data at any time.
No Data Selling
SkilledOS does not sell, rent, or broker your personal information or Customer Data to any third party. Full stop.
AI Data Use
SkilledOS will not use your Customer Data to train third-party AI foundation models without your explicit written consent. AI outputs are generated for your benefit and do not become training data for others.
Data Retention & Deletion
When you cancel your subscription, your data remains available for export for 30 days, after which it is securely deleted. You may request immediate deletion at any time by contacting our privacy team.
Data Residency
Primary data processing and storage occurs in the United States (AWS us-east-1 via Supabase). Backups are stored in geographically separated US regions. No Customer Data is intentionally stored outside the United States unless required by an applicable DPA.
Backups
Customer Data is backed up automatically on a daily basis with point-in-time recovery capabilities. Backups are encrypted and stored in geographically separate locations to ensure resilience.
Data Encryption
In Transit: TLS 1.2+ | At Rest: AES-256 | Passwords: Bcrypt | Backups: Encrypted | PII Fields: Field-level encryption where applicable.
Business Continuity
SkilledOS maintains a business continuity and disaster recovery plan tested annually. RPO: 24 hours | RTO: 4 hours.
Penetration Testing
SkilledOS conducts third-party penetration testing on at least an annual basis. Results are available to enterprise customers under NDA upon request.
Vulnerability Management
We conduct regular code security reviews and dependency audits. Security researchers can report vulnerabilities responsibly via our Responsible Disclosure Program.
Sub-Processors
We believe in full transparency about the third-party vendors we use to deliver the Services. All sub-processors are bound by contractual data protection obligations consistent with our Privacy Policy.
This list is reviewed and updated quarterly. Last updated: March 14, 2026.
Responsible Disclosure Program
We welcome security research from the community. Please report vulnerabilities responsibly through our coordinated disclosure process.
Program Scope
This program covers skilledos.co, app.skilledos.co, and all associated API endpoints and infrastructure.
Qualifying Vulnerabilities
XSS, CSRF, SQL injection, authentication bypass, unauthorized data access, encryption weaknesses, and other security flaws that could impact confidentiality, integrity, or availability.
Non-Qualifying Activities
Social engineering, phishing, DDoS attacks, physical security attacks, testing against third-party services, and automated scanning without explicit authorization.
How to Report
Send detailed reports to security@skilledos.co. PGP key available upon request.
Response SLAs & Safe Harbor
Acknowledgment: Within 2 business days
Initial Assessment: Within 5 business days
Safe Harbor: SkilledOS will not pursue legal action against good-faith security researchers who report vulnerabilities in accordance with this program.
Enterprise & Compliance Requests
Need a Data Processing Agreement (DPA) for GDPR compliance? Conducting a vendor security review? Our team is ready to support your procurement and legal processes.
- GDPR-compliant Data Processing Agreements available
- Standard Contractual Clauses (SCCs) for EU/UK data transfers
- Security questionnaire support for enterprise procurement
- Custom BAA (Business Associate Agreements) for applicable customers
Contact our Security Team
For security inquiries, vulnerability reports, DPA requests, or compliance documentation, reach out directly.
Security Questionnaires: 10 business days
Operated by Connective Technologies, Inc.
Related legal documents: