In transit
Every request between your browser, the mobile app, and our servers goes through TLS 1.3. Nothing travels in the clear, ever.
00Security
Your workshop data, locked down.
Every workshop is isolated at the database layer. Every connection is encrypted. Every byte sits in a Singapore data centre with strict access controls. Here is how it all works, in plain language.
01How your data is isolated
Every cabinet has its own lock.
MekaHub uses something called Row Level Security, or RLS. Without going into the jargon: every record in our database is tagged with a workshop ID, and the database itself refuses to return rows that do not belong to the workshop asking for them.
Think of it like this. Every workshop has its own cabinet, and the lock is on the cabinet, not just on the door of the building. Even if someone got past the front door, the cabinet still will not open without the right key. We do not rely only on application code to keep workshops apart. The database does it too.
We verify this end to end with automated tests. As of our last audit, every cross-workshop access attempt was blocked at the policy level: silent on reads, zero rows on updates and deletes, and an outright rejection on inserts that try to write into someone else’s workshop.
02Encryption
Encrypted on the wire. Encrypted on the disk.
Two layers, working together. One protects data while it travels. One protects it while it sits.
At rest
The database disks themselves are encrypted with AES-256. If a drive ever walked out of the data centre, the data on it would be unreadable.
Sensitive fields
Your most sensitive workshop fields are encrypted with a separate workshop key before they go into the database. Even with raw database access, they cannot be read.
03Authentication
Email and password, done properly.
Logins use email and password through Supabase Auth, the same system the mobile app uses. Passwords must be at least 8 characters. They are never stored in plain text. We store a salted hash and nothing else.
Sessions refresh quietly in the background and expire if a device sits idle. Forgot your password? Tap the reset link on the login page and we will email you a one-time link to set a new one.
Two-factor authentication is on the roadmap, not yet shipped. Until it lands, the most important thing you can do is pick a strong password and not share it. We will announce 2FA the moment it is available.
04Roles and permissions
Each role sees only what it should.
Four roles, each with a scoped view of the workshop. The mechanic on the floor does not need to see your profit margins. The receptionist does not need access to billing.
Owner
Full access to everything: workshop settings, billing, staff, customers, invoices, reports. The only role that can invite or remove other staff.
Manager
Day-to-day operations. Manages customers, vehicles, job cards, quotations, invoices, bookings, and inventory. Cannot touch billing or remove staff.
Mechanic
Workshop floor view. Sees job cards assigned to them, updates status, adds parts and labour. Does not see workshop financials or other mechanics’ jobs.
Receptionist
Front desk. Books appointments, takes payments, prints invoices, looks up customer history. Cannot edit workshop settings.
Only the Owner role can invite new staff, remove existing staff, or access billing. Role assignments are enforced at the database layer alongside RLS, so they cannot be bypassed from the client.
05Where your data lives
Singapore data centre. Daily backups.
Your data lives on Supabase in the ap-southeast-1 region, which is Singapore. That keeps page loads fast for Malaysian workshops and keeps customer records inside the region for data residency.
Backups run automatically every day. We are on the Supabase Pro plan, which retains backups for 30 days. If anything goes wrong on our end, we can roll the database back to any point within the last month.
The Singapore facility is operated to SOC 2 Type II and ISO 27001 standards. Physical access, network controls, and operational logging are audited by third parties on a continuous basis.
Region
Singapore
Provider
Supabase
Backups
Daily, 30 days
Standards
SOC 2 · ISO 27001
06Payments
We never see your card numbers.
Your MekaHub subscription is billed by the Apple App Store, and Google Play on Android (coming soon). Your card details live with Apple or Google, who are certified to the highest payment-security standards. Card numbers never touch our servers. We only ever receive the subscription status.
For customer payments, MekaHub keeps no banking details at all. You send the invoice link via WhatsApp, the customer pays by cash, bank transfer or cheque, and you record it in one tap.
When you record a payment, MekaHub stores the amount, the reference, and the time, so your ledger stays clean and auditable. Nothing more. This is by design and it is not optional.
07What you should do
Five things you control on your end.
Security is a two-way street. Here is the short list of things only you can take care of.
- Use a strong password. At least 8 characters, mix letters, numbers, and symbols.
- Do not share login credentials between staff. Invite each person as their own user so the audit trail stays clean.
- Revoke staff access the same day someone leaves. Owners can remove users from the team settings page.
- Record customer payments promptly so your ledger always matches the cash, bank transfers, and cheques you have received.
- Enable two-factor authentication on your Apple ID and Google account. They both support it.
08Responsible disclosure
Found a security issue? Tell us first.
If you believe you have found a security vulnerability in MekaHub, please email us before disclosing it publicly. We take every report seriously, we will acknowledge it within two working days, and we will keep you updated as we patch it.
A dedicated security mailbox is on our list. Until it is live, please use our general inbox with the subject line tagged so it gets routed correctly.
Security contact
hello@mekahub.mySubject line: [SECURITY]. Dedicated security@mekahub.my is on the roadmap.
Please do not publicly disclose the issue, attempt to access other workshops’ data, or run automated scans against the production service while we are investigating. Acting in good faith is a precondition for our coordinated disclosure process.
09 · Closing
Built for trust.
Your records, locked to your workshop.
Try MekaHub free for 7 days. No credit card required.