Security & Data Handling
Plain-English explanation of how DuePilot protects your data.
Authentication & access control
DuePilot uses session-based authentication with HTTP-only cookies. This means:
- Your session token is not accessible to JavaScript (protection against XSS attacks)
- Sessions expire after a period of inactivity
- Logging out immediately invalidates your session
Role-based access control ensures that team members only see data they're authorized to access. Admin users have additional permissions for approvals and audit trail review.
Password security
Password storage
Passwords are hashed before storage. We never store plain-text passwords. Even DuePilot administrators cannot see your password.
Password reset
Password reset tokens are single-use and expire after 60 minutes. Reset links are sent via email and cannot be reused once a password is changed.
Email verification
Email verification tokens are single-use and expire after 7 days. You can log in with an unverified email, but certain features may be limited.
Audit trails
Every action in DuePilot is logged. This includes:
- User login and logout events
- Timesheet creation, submission, and approval
- Project creation and modification
- Invoice generation
- Password reset requests
- Email verification events
Each audit event includes a timestamp, user ID, organization ID, and a unique request ID for tracing. Admin users can review the full audit trail for compliance and dispute resolution.
Data ownership
Your data belongs to you
DuePilot does not claim ownership of any data you enter. You retain all rights to your timesheets, projects, invoices, and related data.
You can export your data at any time in standard formats (CSV, JSON). We will never sell or share your data with third parties for marketing purposes.
Data deletion policy
You can delete your account and all associated data at any time:
- Account deletion requests are processed within 30 days
- All timesheets, projects, invoices, and user data are permanently deleted
- Audit logs may be retained for compliance purposes (typically 90 days)
- Backup copies are removed from all systems
To request account deletion, contact support@duepilot.com. We will confirm the request and provide a timeline for completion.
Backups & recovery
Regular backups
DuePilot data is backed up daily. Backups are encrypted and stored in geographically distributed locations.
Disaster recovery
In the event of a system failure, we can restore data from backups. Recovery time objectives (RTO) and recovery point objectives (RPO) depend on the severity of the incident.
Data integrity
Backups are tested regularly to ensure they can be restored successfully. Checksums verify data integrity during backup and recovery processes.
Billing safety
DuePilot supports multiple billing options to give you control:
Stripe & PayPal (optional)
If you choose to use Stripe or PayPal, we do not store your credit card information. Payment data is handled directly by these third-party processors, which are PCI DSS compliant.
Manual billing fallback
You can always use manual billing (invoices sent outside DuePilot). This means you're never locked into a payment processor you don't trust.
No surprises
We don't charge automatically without warning. You'll always know what you're paying for and when. Cancel anytime with one click.
Infrastructure & hosting
DuePilot is hosted on cloud infrastructure with:
- Encryption in transit (HTTPS/TLS 1.2+)
- Encryption at rest for databases
- Regular security patches and updates
- Network isolation between services
- Monitoring and alerting for anomalies
Compliance & privacy
GDPR (European users)
If you're in the EU, you have the right to access, correct, and delete your personal data. Contact us to exercise these rights.
Data residency
Data is stored in US-based data centers by default. EU data residency options may be available upon request.
Privacy policy
We do not sell or share your data with third parties for marketing. We use data only to provide and improve the DuePilot service.
Reporting security issues
Found a security vulnerability?
We take security seriously. If you discover a vulnerability, please report it responsibly.
Email: security@duepilot.com
Please do not disclose vulnerabilities publicly until we've had a chance to address them. We'll work with you to understand and fix the issue promptly.
Questions about security?
Contact our support team for more information about our security practices.