Your data never leaves the vault.
WaterDuty is SOC 2 compliant and built on a zero-compromise security architecture. Utility credentials and property data are encrypted in transit and at rest, stored exclusively on our servers, never exposed to the client, and never sold to third parties.
Bank-grade security for every property.
Whether you manage 5 properties or 500, your data receives the same level of protection used by financial institutions.
Encrypted in transit
All communication between your browser and our servers is secured with TLS 1.3 encryption. No data travels unprotected — ever.
Encrypted at rest
Data lives in Google Cloud SQL for Postgres with AES-256 encryption at rest. Even in the unlikely event of a physical breach, your information stays unreadable.
Encrypted credentials
Utility credentials are encrypted with a Fernet symmetric key held in Google Cloud Secret Manager. The plaintext only exists in process memory when our scraper needs it to talk to your utility.
Secure authentication
Sign-in is powered by Google Identity Platform (Firebase Auth) with Google-managed token issuance, session refresh, and row-level security policies on every database table.
Server-side only
Sensitive data is processed and stored exclusively on our servers. Utility credentials and raw usage data never touch the browser.
Privacy first
We never sell, share, or monetize your data. Property information and usage records are used solely to power your leak alerts.
How your credentials are handled.
From the moment you connect a utility provider to every scheduled data fetch, your credentials follow a strict security pipeline.
- STEP 01
Encrypted transmission
When you enter your utility credentials, they are transmitted over TLS 1.3 directly to our servers. The raw credentials are never stored in your browser, local storage, cookies, or any client-side cache.
- STEP 02
Encrypted at rest
Credentials are immediately encrypted with a Fernet symmetric key — the encryption key itself lives in Google Cloud Secret Manager, not in the database. Even an attacker with full database access cannot decrypt your utility password.
- STEP 03
Server-side data fetching
Our backend services decrypt credentials in memory only when scheduled to fetch your water usage data. The plaintext is held briefly during the scrape and never written to logs or temporary files.
- STEP 04
Row-level security
Every database table enforces Postgres row-level security (RLS) policies. The application connects as a NOBYPASSRLS role, so users can only access their own properties, meters, and usage data. Cross-account data access is prevented at the database level.
What we promise.
We never sell your data
Your water usage data, property details, and personal information are never shared with, sold to, or accessible by third parties. Period.
Transparent incident response
In the unlikely event of a security incident, we commit to notifying affected users promptly and transparently with full disclosure of impact and remediation steps.
Data deletion on request
You can request complete deletion of your account, credentials, and all associated data at any time by contacting info@water-duty.com.
Questions about security?
We take security seriously and are happy to answer any questions about how we protect your data and your properties.