Your data is your business.
We protect it like ours.

ClosingFox is built with security-first architecture. Your leads, contacts, and deals are isolated, encrypted, and under your control — always.

🔒 Encrypted · Isolated · Indian-hosted

Our security promise.

Your organization’s data is completely isolated from every other organization. Your team sees only what you allow. We never access your data unless you explicitly ask us to for support.

Built on three pillars.

🔐

Encryption

All data encrypted in transit (TLS 1.2+) and at rest. No data travels unprotected.

🏛️

Isolation

Row-Level Security ensures every organization’s data is completely separated at the database level.

🎛️

Control

14-module granular permissions. You decide who sees what — down to individual pipelines.

How we protect your data.

Not marketing claims. Real architecture.

🔐

Encryption everywhere

All communication between your browser/app and our servers uses TLS 1.2+ encryption. Data at rest is encrypted using AES-256 on our database infrastructure.

HTTPS enforced on all endpoints

AES-256 encryption at rest

Secure WebSocket for real-time sync

🏛️

Row-Level Security (data isolation)

Every database query is filtered by organization ID at the Postgres level. This means a user in Organization A can never — even through a bug — access Organization B’s data. This isn’t application-level filtering. It’s database-enforced.

Postgres RLS policies on every table

Org isolation enforced at database level, not app level

Zero cross-org data leakage by design

🔑

Authentication

JWT-based authentication with secure token management. Support for email/password and Google OAuth. Sessions expire automatically. Password reset via secure email link.

JWT tokens with expiration

Google OAuth 2.0 support

Secure password hashing (bcrypt)

🎛️

Role-Based Access Control (RBAC)

14 permission modules, each with View/Create/Edit/Delete controls. Per-pipeline access means a user can have full access to Pipeline A but zero access to Pipeline B. Role hierarchy enforces reporting chains.

14 modules × 4 permissions each (VCDE)

Per-pipeline access control

Preset profiles: Admin, Manager, Sales Rep

Custom profiles for any permission combination

👁️

Data masking

Phone numbers and email addresses can be masked based on user permissions. A sales rep can see lead names and stages but not phone numbers — preventing data theft when team members leave.

Phone masking: shows ****XX1234

Email masking: shows r***@gmail.com

Permission-gated — admins see full data

📞

Call detection privacy

Our Android auto call detection reads call metadata only — phone number, duration, direction, timestamp. We never record call audio. We never listen to conversations. Call permissions can be revoked anytime from device settings.

Metadata only — no audio recording

READ_PHONE_STATE + READ_CALL_LOG permissions

Revocable from Android settings anytime

📍

Location privacy

GPS is used only during active site visits — when a user manually starts a visit. We do not track location in the background. Location data is tied to the specific visit record and visible only to authorized users.

GPS captured only on manual visit start

No background location tracking

Location data visible based on permissions

🖥️

Infrastructure

ClosingFox runs on enterprise-grade cloud infrastructure with automated backups, monitoring, and disaster recovery.

Database: Supabase (backed by AWS)

API: Vercel serverless (auto-scaling)

Automated daily backups

Real-time monitoring and alerting

Granular permission system.

Control exactly who can see, create, edit, or delete in each module.

Example: Permission Matrix

Each role gets specific VCDE (View/Create/Edit/Delete) per module.

Module

View

Create

Edit

Delete

Leads

✓

—

Pipeline Config

✓

—

Call Logs

✓

—

User Management

—

Clearance

✓

—

Site Visits

✓

—

Practices & compliance.

🔄

Automated Backups

Daily automated backups of all data. Point-in-time recovery available.

📋

Data Retention Policy

Clear retention periods. 90 days after cancel. 60 days for expired trials. Permanent deletion after.

📤

Data Portability

Export your data anytime. We provide it in standard formats within 7 business days.

💳

PCI Compliant Payments

Payments processed by Razorpay (PCI DSS Level 1). We never store card numbers.

🛡️

Incident Response

Defined process for security incidents. Affected users notified within 72 hours of confirmed breach.

👤

Minimal Data Collection

We collect only what’s needed to run the service. No unnecessary tracking. No selling data.

Security questions.

No. Row-Level Security (RLS) enforced at the Postgres database level ensures complete data isolation. Even in the event of an application bug, cross-org data access is architecturally impossible.

No. We only capture call metadata — phone number, duration, direction, and timestamp. We never record audio, listen to conversations, or access message content.

No. GPS is captured only when a user manually starts a site visit inside the app. There is no background location tracking. You can revoke location permission from device settings anytime.

Your data is retained for 90 days after cancellation, giving you time to reactivate or request an export. After 90 days, it’s permanently deleted from all systems including backups.

Yes. Contact us at mail@closingfox.com and we’ll provide a full export in standard format within 7 business days. Your data is always yours.

Your data is stored on Supabase infrastructure backed by AWS in secure data centers with automated backups, monitoring, and encryption at rest.

You can prevent this using data masking. Mask phone numbers and emails for specific roles so team members can see lead names and stages but not contact details. Combined with per-pipeline permissions, you have full control.

Have a security question?

We’re happy to discuss our security practices in detail. Reach out anytime.

mail@closingfox.com →
Read our Privacy Policy →

Your data is your business.We protect it like ours.