Data Security and Privacy
How SME System protects your business data with Row-Level Security, encryption, and UK GDPR compliance.
Your business data is sensitive. SME System is built with security and privacy at its core, ensuring your contacts, leads, quotes, and products are protected at every level.
Row-Level Security (RLS)
What Is RLS?
Row-Level Security is a database-level security feature that ensures each organisation can only access its own data. Unlike application-level checks that can be bypassed by bugs or misconfiguration, RLS is enforced directly by the database.
How It Protects You
- Every query to the database is automatically filtered by
organisation_id - Even if a bug in the application tried to access another organisation's data, the database would refuse
- No user can see, edit, or delete data belonging to another organisation
- This applies to contacts, leads, products, quotes, and all other business data
Why This Matters
Many SaaS tools rely solely on application-level security — meaning a single bug could expose other customers' data. SME System's RLS approach means security is enforced even if the application layer has a vulnerability.
Data Encryption
In Transit
All data sent between your browser and SME System servers is encrypted using TLS (Transport Layer Security). This means:
- Your password is never transmitted in plain text
- Contact details and quote data are encrypted while being sent
- Nobody can intercept and read your data on the network
At Rest
All data stored in the SME System database is encrypted at rest. This includes:
- Contact names, addresses, and VAT numbers
- Lead details and pipeline information
- Product prices and descriptions
- Quote line items and totals
UK GDPR Compliance
Data Storage
- All SME System data is stored in secure, encrypted databases
- Data is hosted in the EEA (European Economic Area)
- Your data is not shared with third parties for marketing purposes
Your Rights
Under UK GDPR, you have the right to:
- Access: Export all your data at any time from Settings → Data
- Rectification: Edit any contact, product, or quote at any time
- Erasure: Permanently delete your account and all associated data
- Portability: Export data in CSV or JSON format
Data Retention
- Your data is retained as long as your account is active
- When you delete your account, all data is permanently removed within 30 days
- Cancelled subscriptions retain data for 90 days in case you reactivate
Access Control
Role-Based Access
SME System enforces role-based access control:
- Admins can access all modules and settings
- Members can access operational modules (CRM, Contacts, Products, Sales)
- Billing and organisation settings are restricted to Admins only
Session Security
- Sessions expire after a period of inactivity
- You can view and revoke active sessions from Settings → Security
- Two-factor authentication adds an extra layer of protection
Best Practices for Your Team
Strong Passwords
Require your team to use strong passwords:
- Minimum 8 characters
- Mix of uppercase, lowercase, numbers, and symbols
- Unique passwords not reused from other services
- Use a password manager
Enable 2FA
Encourage all team members — especially Admins — to enable two-factor authentication. This prevents unauthorised access even if a password is compromised.
Regular Access Reviews
Review your team member list monthly:
- Remove members who have left the organisation
- Downgrade Admins who no longer need full access
- Verify that only current employees have access
Data Hygiene
- Don't store more personal data than you need
- Keep contact records up to date
- Remove inactive or duplicate contacts periodically
- Follow your organisation's data retention policy
Reporting a Security Concern
If you believe you've found a security vulnerability or have a data privacy concern:
- Contact us immediately through the Contact page
- Do not publicly disclose the issue
- We will acknowledge receipt within 48 hours
- We will investigate and respond with a resolution timeline