Security & Vulnerability Disclosure
We take the security of The Bench COO seriously. This page covers how to report a security issue, what to expect when you do, the third-party services we rely on to deliver the product, and how we handle customer data on connected platforms.
1. Reporting a vulnerability
If you believe you have found a security issue in our app, website, or any connected integration, please email security@thebenchcoo.com with a description of the issue and steps to reproduce. The address forwards directly to the founder.
A machine-readable version of this contact lives at https://app.thebenchcoo.com/.well-known/security.txt per RFC 9116.
2. What to expect from us
- Initial acknowledgement within 5 business days of receiving your report.
- An assessment within 10 business days covering severity, expected fix timeline, and any clarifying questions.
- A fix and verification for confirmed issues; we will coordinate public disclosure timing with you if applicable.
- Public acknowledgement of your contribution on this page if you would like it; otherwise we will respect any request to remain anonymous.
We do not currently run a paid bug-bounty program, but we are happy to acknowledge researchers who report issues in good faith.
3. Scope
The following are in scope for vulnerability disclosure:
- The app at https://app.thebenchcoo.com and its API endpoints
- The marketing site at https://thebenchcoo.com
- The demo experience at https://demo.thebenchcoo.com
- OAuth integration code (QuickBooks, HubSpot, Square, Jobber, Gusto, and any future connectors)
- Webhook handlers and write-back endpoints
Issues on the platforms we integrate with (QuickBooks, HubSpot, Square, etc.) should be reported to those vendors directly. We will help coordinate where appropriate.
4. Out of scope
The following are explicitly out of scope and we ask that you do not test them:
- Denial-of-service or volumetric testing of any kind
- Social engineering of staff, customers, or third-party vendors
- Physical attacks on our infrastructure or premises
- Brute-forcing login credentials or rate-limit testing
- Reports based purely on missing headers without a concrete impact
- Self-XSS, clickjacking on pages with no sensitive action, or vulnerabilities requiring physical access to an unlocked device
- Accessing, downloading, modifying, or deleting data belonging to anyone other than yourself or a test account you control
5. Safe harbor
If you make a good-faith effort to comply with this policy — you stay in scope, you do not exfiltrate data, you do not disrupt service, and you give us a reasonable window to respond before public disclosure — we will not pursue legal action, regulatory complaints, or DMCA claims against you for your research.
We cannot grant safe harbor on behalf of third parties (the platforms our app integrates with). If your research touches their systems, please follow their published disclosure programs.
6. Subprocessors
We use the following third-party services to operate the product. Each is named here in the spirit of transparency and to support customer due-diligence requests.
| Service | Purpose |
|---|---|
| Netlify | Application hosting, CDN, edge functions, forms |
| Supabase | Managed Postgres database, authentication, file storage |
| Anthropic | Claude language model for the COO agent |
| Stripe | Subscription billing and payment processing |
| Resend | Transactional email (invitations, notifications) |
| Sentry | Application error monitoring (with sensitive headers and OAuth-shaped query parameters scrubbed before transmission) |
| Plausible | Privacy-respecting product analytics (no individual user tracking) |
| Google Workspace | Operational email (contact@, daniel@, security@) |
| Intuit (QuickBooks) | Customer-authorized accounting data access via OAuth |
| HubSpot | Customer-authorized CRM data access via OAuth |
| Square | Customer-authorized sales data access via OAuth |
| Jobber | Customer-authorized field-service jobs data access via OAuth |
| Gusto | Customer-authorized payroll data access via OAuth |
Customer-authorized integrations are accessed only with the explicit consent of the customer, who can revoke access at any time from within the app or from the connected platform's own settings.
7. Data handling for connected platforms
When you connect a platform like QuickBooks, HubSpot, or Square to the app:
- OAuth tokens are encrypted at rest using AES-256-GCM with a key held outside the database, so a stolen database alone does not yield usable credentials.
-
Tokens are never logged. Error reports sent to our monitoring
system have Authorization headers, cookies, and OAuth-shaped query parameters
replaced with
[Filtered]before transmission. - Customer data is fetched on demand and cached only briefly (up to four hours) to reduce upstream API load. Cached values are deleted on disconnect.
- Disconnecting removes the data. When you disconnect a platform — whether from within our app or from the connected platform's settings — we revoke the OAuth token, null the encrypted token fields, clear cached values, and strip platform-derived numerical blocks from prior chat history. This happens synchronously at the time of disconnect, not on a delay.
- Audit log entries for connection lifecycle events (connect, refresh, disconnect) are retained for security and compliance purposes but contain no customer-readable platform data.
8. Data retention & deletion
Customer chat history, business profile, and team membership data are retained for the duration of the customer's account. Customers may request account deletion at any time by emailing contact@thebenchcoo.com; we honor deletion requests within 30 days.
Connection-related data tied to a third-party integration (OAuth tokens, cached API responses, platform-derived report blocks in chat) is removed within 30 days of disconnection — in practice, synchronously at disconnect time, well before the 30-day limit.
9. Encryption in transit
All traffic between customers, our application, and our subprocessors uses TLS 1.2 or higher. The app and marketing site enforce HTTPS via HTTP Strict Transport Security with a two-year max-age, includeSubDomains, and preload directives.
10. Encryption at rest
The managed Postgres database operated by Supabase is encrypted at rest using their platform-default disk encryption. On top of that, OAuth access and refresh tokens are encrypted application-side using AES-256-GCM before being persisted; the encryption key is held only in environment configuration on Netlify and is never written to the database.
11. Access controls
Database, hosting, and OAuth-provider administration accounts require multi-factor authentication. Access to production data is limited to the founder (daniel@thebenchcoo.com) and is used only for support, incident response, and platform maintenance.
12. Updates to this policy
We may update this page from time to time. Material changes will be reflected in the “Last updated” date above.
13. Questions
Security reports: security@thebenchcoo.com
General contact: contact@thebenchcoo.com
Phone: 916-775-7717
The Bench COO
Daniel Zimmer
5960 South Land Park Dr #608
Sacramento, CA 95822