WrenchDay Security Statement

Customer-facing summary of authentication, access control, payment integrity, infrastructure responsibilities, and incident response.

1. Security program overview

WrenchDay is designed to protect shop operations, customer records, vehicle records, repair orders, invoices, payments metadata, communications, and mechanic access through layered application and provider controls.

2. Access controls

WrenchDay separates shop-owner access, mechanic access, platform-admin access, public customer pages, and internal APIs. Private dashboard routes require authentication. Shop APIs derive the shop identity from authenticated session context. Mechanic routes are separated from owner routes.

Customers are responsible for using strong passwords, protecting devices, managing invited users, removing former staff, and limiting mechanic access to appropriate users.

3. Tenant isolation and payment protections

Shop data access is scoped by shop identity in API queries. Subscription-gated shop APIs require active or trialing subscription status. Unsafe API methods require same-origin checks where implemented.

Stripe webhooks use signature verification. Customer invoice paid status is confirmed through server-side Stripe checks and validates invoice identity, amount, currency, and connected-account context before marking an invoice paid.

4. Data protection and providers

WrenchDay relies on cloud and service providers for database, authentication, storage, email, SMS, payments, AI, hosting, monitoring, and related functions. Those providers maintain their own infrastructure controls.

Sensitive data should be limited to what is needed for repair-shop operations. Shops should avoid entering unnecessary sensitive information into notes, messages, photos, or templates.

5. Incident response

Suspected security incidents should be reported promptly. WrenchDay should investigate, contain, remediate, and notify affected customers or regulators where legally required.

This Security Statement is a summary and does not create a separate warranty, certification, or service-level commitment unless included in a signed agreement.