Security

CeoDash uses workspace-scoped access so customer data is separated by workspace. User sessions are protected with httpOnly cookies and CSRF checks where applicable.

Direct integrations use OAuth or provider-approved authorization flows where available. Access is intended to be limited to the permissions needed to read and sync approved business data.

Sensitive uploaded data and integration tokens are protected at rest with encryption. Token handling is designed so users do not need to share source-system passwords with CeoDash.

Traffic to production services is served over HTTPS. We use security headers including HSTS, X-Content-Type-Options, Referrer-Policy, and frame restrictions.

Security-relevant events such as login, password reset, upload and download activity, integration connect and disconnect, sync activity, and administrative changes are designed to be audit logged.

Audit records help investigate account activity, support customer requests, and detect suspicious behavior.

CSV, XLSX, and other file uploads are processed for the customer workspace that submitted them.

Paid direct integrations can be revoked. Disconnecting an integration stops future syncs, while source-system access can also be revoked from the provider account.

Security questionnaires and additional review materials are available on request for customers evaluating paid direct integrations or larger deployments.

We avoid listing certifications or audit claims on this page unless they are completed and current.

Please report suspected vulnerabilities to support@ceodash.tools with enough detail to reproduce the issue. Do not access, modify, or exfiltrate data that does not belong to you.