§ — Security & Trust

Built for the teams you sell to.

Your calls are some of the most sensitive artifacts in your business — every name, number, objection, and unguarded moment is in there. Here's exactly how we protect them.

AES-256 at rest
TLS 1.3 in transit
Row-level isolation
SOC 2 Type II · In audit
No AI training on your data

Four principles.

Security is not a feature list — it's a set of commitments you can check against behavior. These four are the ones we'd want to see from a vendor handling our own sales calls.

§ 01

Your data is yours.

You own it, you control it, you can export or delete it in a click. We don't sell it, we don't train AI on it, we don't share it with anyone we haven't disclosed.

§ 02

Encrypt everything.

AES-256 at rest across every database and backup. TLS 1.3 in transit across every hop. Secrets in a managed vault with per-environment rotation.

§ 03

Least privilege.

Engineers don't have standing access to customer data. Production access is just-in-time, approved, logged, and time-boxed. MFA is required everywhere.

§ 04

Tell the truth.

If something breaks, you'll hear about it from us within 72 hours of confirmed impact — not from a news article. No spin, no lawyer-talk.

Compliance & Certifications.

SOC 2 Type II

Currently in audit. Expected completion Q2 2025. Annual audits verify our security controls meet industry standards for confidentiality, availability, and security.

GDPR Ready

Full data portability, right to deletion, consent management, and data processing agreements available for EU customers.

PIPEDA Compliant

As a Canadian company, we comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requirements for data collection, use, and disclosure.

CCPA / CPRA

We honor California Consumer Privacy Act rights including access, deletion, and opt-out requests.

Incident Response.

If a security incident occurs, here's what happens:

< 1 hour

Detection

Automated monitoring alerts our security team of potential incidents.

< 4 hours

Containment

Affected systems isolated. Initial assessment completed. Response plan activated.

< 72 hours

Notification

Affected customers notified with details on impact, actions taken, and recommended steps.

< 30 days

Post-Mortem

Root cause analysis, remediation steps, and preventive measures shared with affected customers.

Responsible Disclosure.

Found a security vulnerability? We want to hear about it.

How to Report

Report Vulnerabilities

Email security@oneclickcoaching.com with:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
Our Commitment

Safe Harbor

We will not pursue legal action against researchers who:

  • Report in good faith
  • Don't access customer data
  • Give us time to fix before disclosure