Security & Legal

Security information, terms, privacy, compliance.

Written By Victor Raessen

Last updated 4 days ago

Salesbuildr takes the security of your data seriously. This section covers our security practices, privacy policies, and legal documentation.

Authentication

Salesbuildr supports three authentication methods, configurable per tenant (see Platform & Pricing for admin settings):

MethodDescription
Email and passwordStandard email/password login
GoogleOAuth-based sign-in with Google accounts
MicrosoftOAuth-based sign-in with Microsoft accounts

Admins can enable or disable each method at Admin > Platform > Authentication. At least one method must remain active.

Session management

Sessions automatically expire after a configurable timeout. Admins can set the timeout at Admin > Platform > Authentication:

  • 15 minutes, 30 minutes, 1 hour, 2 hours (default), 1 day, 1 week, 2 weeks

Domain restrictions

The MSP domains setting lets admins specify which email domains require an invitation to log in. Users with matching email domains cannot self-register — they must be explicitly invited by an admin.

Email verification

Users signing in via Google or Microsoft are automatically email-verified through the OAuth provider. Password-based users must verify their email before gaining full access.

Security headers

Salesbuildr enforces strict HTTP security headers on all responses:

HeaderValue
Strict-Transport-Securitymax-age=15552000 (180 days)
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Content-Security-PolicyNonce-based script policy with strict-dynamic

The Content Security Policy uses a fresh cryptographic nonce per request to allow only authorized scripts. CSP violation reports are monitored by the security team.

Data protection

Encryption

  • In transit — all data is encrypted using TLS (HTTPS). HSTS headers enforce HTTPS connections
  • At rest — data is stored on enterprise-grade cloud infrastructure with provider-managed encryption at rest

Infrastructure

Salesbuildr runs on Google Cloud Platform infrastructure with Firebase for data storage and authentication. The platform operates across three geographic regions (EU, AU, US), each with independent data storage for data residency compliance.

Rate limiting

API requests are rate-limited to protect platform stability:

  • Public API — 500 requests per 10-minute rolling window per tenant
  • Frontend — IP-based and tenant-based rate limiting to prevent abuse
  • Rate limit stores are backed by Redis for consistent enforcement across application instances

Input validation

All API requests are validated using strict input rules:

  • Unknown fields are stripped from requests
  • Non-whitelisted fields are rejected
  • Request body size is limited to 10 MB

Access control

Salesbuildr uses role-based access control (RBAC) to protect resources:

  • Admin role bypasses all permission checks
  • Base user role provides standard access
  • Viewer license for read-only access (not billed)
  • Custom roles with granular permissions can be created on Advanced and Premium plans. See Users & Permissions for full details

Nine permissions control access to specific resources: quote management, product viewing and management, product imports, pricing books, company management, whitespace, and procurement.

Data backup

Admins can generate a full backup of their account data at Admin > Tools > Maintenance > Generate Backup. The backup is produced as a ZIP file and available for download. Only admin users can create or download backups.

Cookie consent

Salesbuildr uses Cookiebot for cookie consent management. The consent banner appears for new visitors and allows granular control over cookie categories.

Legal documentation

Terms of service

Your use of Salesbuildr is governed by our Terms of Service. The Terms of Service URL is configurable per tenant and displayed in the application footer.

Privacy policy

Our Privacy Policy describes how we collect, use, and protect personal data. The Privacy Policy URL is configurable per tenant and displayed in the application footer.

Terms and conditions for quotes

Salesbuildr includes a dedicated Terms & Conditions feature for quote proposals. Admins can configure T&C content at the platform level, and recipients must accept them before completing a quote approval. Consent is tracked per company with timestamps and user attribution.

Two consent modes are available:

  • Explicit — recipients must actively accept the terms
  • Implicit — terms are shown but acceptance is assumed

Security contact

For security-related inquiries or to report a vulnerability, contact support@salesbuildr.com. Salesbuildr publishes a security.txt file at /.well-known/security.txt per industry standard.

GDPR compliance

Salesbuildr is committed to GDPR compliance for EU customers:

  • Data processing — available on request for customers who need a formal Data Processing Agreement (DPA)
  • Data residency — EU customer data is stored in the EU region by default. AU and US regions are available for customers in those geographies
  • Data export — admins can generate full account backups for data portability
  • Data deletion — contact support to request account data deletion

See also