Skip to content
Convertly Docs

Security Overview

Security architecture

Convertly CRM is built on PocketBase, a self-contained backend with an embedded SQLite database. All data is stored on Convertly’s servers and is not shared with third-party databases.

Authentication security

Password handling

  • Passwords are hashed using bcrypt before storage
  • Plain-text passwords are never stored or logged
  • Minimum password requirements are enforced at registration and change

Session management

  • Sessions use signed HTTP-only cookies
  • Sessions expire after 14 days of inactivity
  • Users can log out explicitly, which immediately invalidates the session
  • Multiple sessions (e.g., across devices) are allowed simultaneously

Forgot password flow

  • Password reset tokens are single-use and expire after 60 minutes
  • Tokens are delivered only to the verified email on the account
  • Old tokens are invalidated when a new one is requested

Role-based access control

All data access in Convertly is gated by role:

  • Tenant-level roles (Admin, Manager, Sales Rep) control access within an organization
  • Platform-level roles (Developer Admin, Developer Staff, Developer) control access to platform management tools
  • No cross-tenant data access is possible through the standard UI

See Roles and Access → for the full role matrix.

API security

  • All API routes require a valid authenticated session
  • Public-facing form submission and webhook endpoints are validated by secret keys or signatures
  • Webhook payloads from Stripe are verified using HMAC signatures before processing
  • All input is validated server-side — client-side validation is supplementary only

Transport security

  • All traffic between clients and Convertly uses TLS 1.2+
  • API endpoints are only accessible over HTTPS
  • HTTP requests are redirected to HTTPS at the infrastructure level

Infrastructure

  • Application hosted on a dedicated server (not shared hosting)
  • Database stored locally on the server — not on a shared cloud database
  • Regular automated backups with offsite storage

Reporting a security vulnerability

If you discover a potential security vulnerability in Convertly CRM, please contact:

Email: support@convertlycrm.com
Subject: “Security Vulnerability Report”

Please do not publicly disclose vulnerabilities before reaching out. We will acknowledge your report within 48 hours.