PrimeBase is live · Visit primebase.ioVIVIDSPHERE LLP  ·  SHIPPING SINCE 2020
Get in touch
Home/Trust/Security
Trust & security

Your business, defended like it's our own.

Encryption in transit and at rest, strict workspace isolation, role-based access for your team, and a real human on the other end of contact@vividsphere.co. The boring stuff, done right — across PrimeBase and Pocket CRM.

See how it works Email security
TLS 1.3 in transitAES-256 at restWorkspace-isolated · row-level securityGoogle Cloud · USNo AI training on customer content
01 — Our four commitments

The promises we put in writing.

Short list. No marketing fluff. Every line below describes something running in production today, not a roadmap.

C/01

Encrypted everywhere.

TLS 1.3 in transit. AES-256 at rest on Google Cloud Platform with envelope encryption managed by the cloud provider.

C/02

Workspace isolation.

Every record carries a workspace ID. Postgres row-level security enforces it on every read and write — not in app code, in the database.

C/03

Role-based access.

Custom roles, granular permissions, and access rules. Your admins decide who can see and do what inside the workspace.

C/04

Honest about incidents.

If a security incident affects your data, we tell you — directly, by email, with what happened and what to do.

02 — Architecture

Five layers of defense, one source of truth.

Defense-in-depth, designed so a failure at any single layer doesn't compromise the whole. Here's what each layer looks like in production today.

Layer 01 / 05

Transport

TLS 1.3 with modern cipher suites.
  • HTTPS-only across the product, the API, the portal, and every public form.
  • TLS 1.0 / 1.1 disabled. HSTS sent on responses to discourage downgrade.
  • Strict transport headers and certificate pinning on mobile apps where supported.
Layer 02 / 05

Application

Workspace isolation enforced at the database.
  • Every record carries a tenant ID. Postgres row-level security policies block cross-tenant reads and writes.
  • Every API endpoint declares the permission it requires; calls without it are rejected before they reach business logic.
  • Public-facing forms are protected by a CAPTCHA challenge and a honeypot trap to block automated submissions.
  • Standard security headers (CSP, X-Frame-Options, SameSite cookies). Code reviewed before merge.
Layer 03 / 05

Data layer

AES-256 at rest, plus application-layer encryption for sensitive fields.
  • Database, storage, and backups are encrypted at rest by Google Cloud Platform.
  • Sensitive identifiers and authentication tokens are additionally encrypted at the application layer with AES-256-GCM before they hit the database.
  • Access codes on shared links are stored as one-way hashes with brute-force lockout after repeated failed attempts.
  • Daily encrypted backups with point-in-time recovery configured at the database layer.
Layer 04 / 05

Identity

Email + password, with passwordless OTP.
  • Passwords hashed with industry-standard algorithms. Passwordless email OTP supported.
  • Custom roles & permissions — restrict who can see and do what inside the workspace.
  • Access rules let admins scope users to their own records, assigned records, or specific tags per module.
  • Session tokens are short-lived and revocable; logging out invalidates them server-side.
Layer 05 / 05

Operations

A small team, careful defaults.
  • Production access limited to a small number of engineers. Database access is logged by the platform.
  • Application secrets stored in Google Cloud Secret Manager with IAM-scoped access — no credentials in code, no shared logins.
  • Daily encrypted backups handled by Google Cloud Platform. Restore procedures tested when changes warrant it.
  • We aim to respond to security reports sent to contact@vividsphere.co within one business day.
03 — Visibility

A per-record audit trail.

Every record in PrimeBase carries who created it, who last updated it, and when — across CRM, projects, accounting, documents, and inventory. Customer-facing activity flows into a dedicated feed for sales and field work.

01

Created-by and updated-by tracked on every record across modules.

02

Customer activity feed for visits, calls, notes, and route stops.

03

Workspace-scoped — activity is isolated to your tenant by row-level security.

04

CSV export of customers and inventory batches is self-serve for admins.

05

Authentication events (sign-in, OTP requests, integration connect/disconnect) are recorded per-workspace.

04 — Hosting

Where your data lives.

Our products are hosted on Google Cloud Platform in the United States. Your workspace data is encrypted at rest, backed up daily, and isolated from every other customer by row-level security.

Cloud providerGoogle Cloud Platform

Compute, storage, and managed Postgres run on GCP in the United States.

Data protectionAES-256 + RLS

Encryption at rest on every layer; Postgres row-level security enforces workspace isolation.

BackupsDaily, encrypted

Rolling encrypted backups handled by Google Cloud. Point-in-time recovery configured at the database layer.

Company & adminVividSphere LLP · India

Operated by VividSphere LLP, Bangalore. Administrative access from India; production data resides in the US.

Have a hosting question? Email contact@vividsphere.co and a real engineer will answer — backup details, retention, or anything else your security team needs to know.

05 — Incident response

If something goes wrong.

A real engineer reads contact@vividsphere.co. If a security incident affects your workspace, we tell you directly — what happened, what to check on your side, and what we're doing to fix it.

1

Detect

Platform alerts and customer reports surface anomalies to our engineering team.

2

Investigate

On receipt, an engineer triages scope: which workspaces, which data, what the suspected cause is.

3

Contain

If confirmed, affected services are isolated and suspect sessions or credentials are revoked.

4

Notify

If your workspace data is impacted, we email your admin(s) directly — what happened, what to check, what we're doing.

5

Fix & learn

Root cause fixed in production. We write up what changed and what to watch for, and share it with affected customers.

Responsible disclosure
Found a vulnerability? Email us directly.

Researchers acting in good faith are welcome — we'll acknowledge your finding, work with you on the fix, and credit you publicly if you'd like. We don't yet run a paid bounty program.

Email contact@vividsphere.co
Security isn't a feature you ship — it's the floor you keep raising. We build like we're the customer.
— Engineering Charter, VividSphere
06 — Customer controls

The keys are yours.

Most "security" pages list what the vendor does. Here's what you get to do, the moment you sign up.

CTL/01

Custom roles & permissions

Build custom roles. Grant per-module, per-action access — restrict who can see and do what in your workspace.

CTL/02

Access rules

Scope users (or roles) to their own records, assigned records, or specific tags — per module. Set by your admins.

CTL/03

Passwordless OTP login

Sign in with a one-time code sent to email — no shared password to phish. Password-based login is also available for users who prefer it.

CTL/04

Self-serve CSV exports

Admins can export customers and inventory batches as CSV without a support ticket. More entities are on the roadmap.

CTL/05

Workspace data isolation

Every record carries a workspace ID. Postgres row-level security blocks cross-tenant access at the database layer.

CTL/06

Account closure

Workspace admins can close their workspace from in-product settings. Data deletion completes within 30 days; we confirm by email.

07 — Common questions

The questions security teams actually ask.

If you don't see yours, email contact@vividsphere.co — a real engineer replies.

Do you train AI models on our data?
No. Customer content in your workspace is not used to train VividSphere models or models from any third-party AI provider. We only use AI providers in pass-through mode for product features you opt into, and we select providers whose terms forbid training on customer prompts.
Where is our data stored?
Production data lives on Google Cloud Platform in the United States. Backups stay encrypted within Google's infrastructure. VividSphere LLP, which operates the products, is based in Bangalore, India — administrative access originates from there.
How is my data isolated from other customers?
Every record carries a workspace ID. Postgres row-level security policies enforce that ID on every read and write at the database layer — not just in application code. Even if a query were written wrong, the database would still refuse to return another tenant's rows.
Do you have a sub-processor list?
Yes — we maintain a list of the vetted vendors that handle parts of the Service (cloud hosting, transactional email, error monitoring, analytics). It's not yet self-serve on the site; email contact@vividsphere.co and we'll send the current list.
Can I delete my data permanently?
Yes. Workspace admins can close their workspace from in-product settings, or you can email contact@vividsphere.co. Hard deletion completes within 30 days; backups roll off on their normal rotation. We confirm completion in writing.
How do you handle law-enforcement requests?
We comply only with valid legal process. Before disclosing customer content in response to a subpoena, court order, or government request, we'll notify you so you can challenge it — unless we're legally prohibited from doing so, or there's an imminent risk to life.
Are you SOC 2 or ISO 27001 certified?
Not today. We don't hold formal third-party certifications, and we'd rather say so plainly than imply otherwise. The technical controls described on this page — encryption, workspace isolation, role-based access, encrypted backups, secret management — are the same controls those frameworks would audit. If formal certification is a hard procurement requirement for you, write to us and tell us; that helps us prioritise.
What about Pocket CRM data on a stolen device?
Pocket CRM stores account data on the device under the OS's standard app-data sandbox (iOS keychain / Android keystore for credentials). On a lost device, signing out remotely from another session invalidates the device's tokens server-side; the next sync attempt fails. We can also revoke a session on request.
Got more to ask

Talk to a real human, not a portal.

Send your security questionnaire or ask anything about how we handle your data. A real engineer reads contact@vividsphere.co — no sales rep in the middle.

Email security Privacy policy
Security & data requests
VividSphere LLP
L-148, 5th Main Road, Sector 6
HSR Layout, Bangalore - 560102
Karnataka, India