Trust & Security

Your work data, handled with care

CanTicket helps service teams manage jobs, time, and invoicing. We know that means trusting us with client names, financial data, and day-to-day operations. This page explains how we protect that information.

Last updated: July 2026

01

What we do

CanTicket is a cloud-based job and workflow platform for businesses that track work, time, and billing — often alongside Xero and other tools you already use.

We process data you and your team enter into the product: jobs and tasks, time entries, comments, client and contact details, invoices and quotes (including data synced from connected accounting systems), and account information for your users.

We do not sell customer data. We use it only to provide and improve the service described in our Terms of Service and Privacy Policy.

02

How we protect data

Encryption

AreaDetail
In transitAll connections to CanTicket use HTTPS (TLS 1.2+).
At restCustomer data is stored in encrypted MySQL on AWS in Singapore (ap-southeast-1).
PasswordsStored using industry-standard hashing — never in plain text.
SessionsEncrypted session cookies in production; secure cookie flags when served over HTTPS.

Access control

  • Role-based access — Admin, manager, contractor, client, and other roles see only what their role allows.
  • Company isolation — Data is scoped by company (tenant) so one customer's data is not visible to another.
  • Internal access — CanTicket staff access to customer environments is limited, logged, and restricted to authorised support and operations personnel only.
  • Authentication — Login verification and optional OTP flows for account security.

Application security

We maintain an active security improvement program, including:

  • Regular internal security reviews of our application code
  • Automated testing and style checks on critical paths before release
  • Webhook authentication for inbound integrations (email-to-ticket, Xero, CRM, and others)
  • Input validation and output encoding to reduce cross-site scripting and injection risks
Details of our remediation program are available to enterprise customers under NDA.

Infrastructure

ItemOur approach
HostingAmazon Web Services (AWS)
Primary regionSingapore (ap-southeast-1)
AvailabilityUpdate coming soon
BackupsRegular automated backups, stored securely and not publicly accessible.
MonitoringApplication and infrastructure logging; alerts on errors and failed jobs.
03

Subprocessors

We use carefully selected third parties to run CanTicket. They process data only on our instructions and for the purposes below.

ProviderPurposeTypical data
Amazon Web Services (AWS)Application and database hostingAll customer account and job data
Amazon Web Services (SES)Transactional emailEmail addresses, message content
StripeSubscription and payment processingBilling contact, payment metadata (Stripe handles card data)
XeroAccounting integration (optional per customer)Invoices, contacts, payroll/timesheet sync as configured
GoogleCalendar, Drive, Maps (optional per customer)OAuth tokens, calendar events, files as authorised
OpenAI / Google GeminiAI-assisted features (optional per company)Prompts may include job and comment text when features are enabled
GoHighLevelCRM sync (optional)Contacts and opportunities as configured
SlackJob commands (optional)Workspace tokens, job metadata
AsanaIntegration and browser plugin (optional)Task and time data as authorised
Full register: Available on request — [email protected]. We review subprocessors periodically and update this list when we add or change providers.
04

Artificial intelligence (AI)

Some CanTicket features can send portions of your job or comment text to AI providers (such as OpenAI or Google Gemini) when your company has enabled those features.

You control this

  • AI features are configured per company
  • You can disable AI features if you do not want content processed by third-party LLMs
  • Where supported, you may use your own API keys
We recommend not entering passwords, payment card numbers, or highly sensitive personal health information into AI prompts. More detail is available in our AI data handling summary on request.
05

Your responsibilities

Security is shared. We recommend customers:

  • Use strong, unique passwords and limit admin accounts to people who need them
  • Review user access when staff leave or change roles
  • Connect integrations (Xero, Google, Slack) only with accounts you trust
  • Report suspicious activity to us promptly
06

Incident response & breach notification

We maintain an incident response plan covering detection, containment, assessment, customer notification, and post-incident review.

If we confirm a security incident that affects your data, we will:

  1. Investigate and contain the incident without undue delay
  2. Assess what data and which customers may be affected
  3. Notify affected customers and, where required by law, relevant regulators — our target is to begin customer notification within 72 hours of confirming a notifiable breach
  4. Remediate root cause and share summary findings where appropriate
Report a vulnerability or incident: [email protected]. We appreciate responsible disclosure and will acknowledge reports within 2 business days.
07

Compliance & certifications

StatusDetail
ISO 27001Underway
PrivacyAustralian Privacy Act 1988; see our Privacy Policy for international transfers (including Singapore hosting)
Security auditInternal application security audit completed June 2026; critical findings remediated
Enterprise customers may request our security overview, subprocessor list, and DPA under NDA.
08

Data retention & deletion

Data typeTypical retention
Active account dataDuration of subscription, plus a defined grace period after termination unless law requires longer Update coming soon
BackupsRetained on a rolling basis and rotated regularly; stored securely and not publicly accessible.
LogsSecurity and access logs retained for monitoring, troubleshooting, and investigation purposes.
To request export or deletion of your organisation's data, contact [email protected]. Some records may be retained where required for legal, tax, or fraud-prevention purposes.
09

Contact us

Send a message and we'll open a triage ticket routed to the right team. For security reports we acknowledge within 2 business days.

Your message creates a triage ticket. We never share your details with third parties for marketing.

Ticket created

Thanks — your request has been logged and routed to the right team. You'll receive an email confirmation shortly. Keep this reference for follow-up:

RefCT-000000
10

Marketing website (cookies & analytics)

Our public website (canticketapp.com) may use cookies and third-party analytics to understand how visitors find our marketing pages. This section does not describe the in-app CanTicket product your team uses for jobs and time tracking.

ServicePurpose
Google AnalyticsTraffic and usage on marketing pages
Meta (Facebook) PixelAdvertising measurement and remarketing
Google Search ConsoleSearch performance and site indexing (site-owner tool)
Details are in our Privacy Policy. To opt out of marketing cookies, use your browser settings or the controls described in our Privacy Policy. Product support: [email protected]