Security

Every MSPbrief account lives under a tenant ID. Isolation is enforced at the database level via PostgreSQL row-level security policies — clients, schedules, integration credentials, and report history are not visible or reachable across tenants.

Integration credentials (ConnectWise keys, NinjaRMM OAuth secrets, SmileBack passwords, etc.) are encrypted at rest with AES-256-GCM using a per-deployment encryption key. Plaintext credentials are never written to logs and are decrypted only at report-generation time inside our server. They are never sent back to the browser after they are saved.

All connections to MSPbrief are TLS 1.2+. All third-party API calls (ConnectWise, Ninja, SmileBack, Anthropic, SMTP2GO) use HTTPS.

Authentication is provided by Supabase Auth (email + password). Sessions are signed, short-lived, and refreshed via secure HTTP-only cookies. Password hashing is handled by Supabase using industry-standard algorithms.

Found something? Email security@mspbrief.io. We'll respond within one business day.