Last updated: December 18, 2025
At SurgeTK, security is built in at every layer—how you sign in, how your data moves, where it’s stored, and which services are allowed to talk to our app. The points below summarize the protections that are active in production today.
Security at a Glance
Encrypted everywhere: All traffic between your browser and SurgeTK uses HTTPS, and we enforce modern browser protections to block unsafe content and framing.
Strong account security: Email verification is required, two‑factor authentication (2FA) is enforced for ongoing access, and we throttle login and code‑entry attempts to stop brute‑force attacks.
Locked‑down storage: Customer files live in private Amazon S3 buckets with default server‑side encryption. Files are shared through short‑lived, expiring links; only basic profile photos are publicly readable.
Restricted database access: Our database is hosted on MongoDB Atlas and only reachable from approved network locations over encrypted connections. It is not open to the public internet.
Trusted infrastructure & vendors: We run on Heroku and use vetted providers like AWS, MongoDB Atlas, Stripe (payments), and Intercom (support). Only these approved services are allowed to load within our app.
How We Protect Your Account
Email verification: New accounts must verify ownership of the email address using a short‑lived code before they can use the platform.
Two‑Factor Authentication (2FA): After your initial access, we require an authenticator‑app code in addition to your password for ongoing sign‑ins. This reduces the risk of account takeover even if a password is guessed or phished.
Smart rate limiting: We limit how often someone can try passwords, 2FA codes, or verification codes. This slows down attackers without getting in your way during normal use.
Protected cookies: Sign‑in cookies are set to be sent only over HTTPS and are not readable by scripts, and we automatically end sessions after a period of time.
How We Protect Data in Transit and in the Browser
Always‑on HTTPS: Connections to SurgeTK are encrypted end‑to‑end, and we tell browsers to only ever use secure connections when talking to our site.
Strict website rules: We limit what can run on our pages and which sites our app can connect to. In plain terms: the app only loads scripts and frames from a small list of trusted providers, which sharply reduces the risk of malicious content.
How We Protect Stored Files
Private by default: Customer documents and exports are stored in private Amazon S3 buckets and are not directly accessible. When the app needs to show a file, it uses a short‑lived, expiring link that only works for a few minutes.
Encryption at rest: S3 applies server‑side encryption to your files by default. We also require secure (HTTPS) access to these buckets.
Tight sharing rules: Only basic profile/avatar and logo images are publicly readable—and only in a specific, limited folder. We also restrict which websites are allowed to load files from our storage.
How We Protect the Database and Network
Approved‑only access: Our MongoDB Atlas database is reachable only from allow‑listed network locations (e.g., our app’s egress) and requires encrypted connections. There is no broad “open to the world” access.
Hardened hosting: SurgeTK runs on Heroku. Outbound traffic uses fixed, known IPs to keep our database access rules precise.
Monitoring & Platform Integrity
Sign‑in awareness: When you sign in, we record basic details (like device and approximate location) to help detect unusual activity and respond quickly if something looks off.
Noise‑free logging: If someone exceeds our allowed number of attempts (login, 2FA, or code verification), we both block the request and record a high‑severity event for review.
Integrations & Data Sync Security
SurgeTK integrates with a small number of trusted third-party services to help reduce manual work. Each integration is purpose-built, scoped, and access-controlled so that only the minimum data required is synced—and only when you explicitly enable it.
CRM Integrations (Redtail & Zoho)
Redtail and Zoho are used strictly as CRM data sources. When connected, SurgeTK can sync client, household, and account data into your SurgeTK workspace so you can generate Surge materials and run workflows without duplicate data entry.
How CRM integrations are secured:
Explicit opt-in: CRM integrations are disabled by default and only activate when an authorized user connects them.
Scoped access: We request only the permissions required to read the client and account data needed for SurgeTK features.
Encrypted transport: All data pulled from Redtail and Zoho is transmitted over encrypted HTTPS connections.
No credential storage: SurgeTK does not store your CRM username or password. Authentication is handled via secure, vendor-approved mechanisms.
Read-focused usage: CRM data is used to populate and update records inside SurgeTK. We do not push changes back to your CRM.
Revocable at any time: You can disconnect Redtail or Zoho at any point from your settings, immediately stopping further syncs.
Calendar & Meeting Integration (Calendly)
Calendly is used solely to sync meeting information into SurgeTK for Surge workflows. It allows SurgeTK to detect scheduled meetings so advisors can prepare agendas, packets, and value-add materials ahead of time.
What Calendly sync includes:
Meeting title, date, time, duration, and basic metadata
Host and invitee identifiers needed to associate meetings correctly
No payment details, messages, or unrelated Calendly data
How Calendly integration is secured:
Limited scope: Calendly access is restricted to reading meeting and scheduling data required for Surge features.
Encrypted connections: All Calendly data is fetched over secure HTTPS connections.
Isolation from CRM data: Calendly data is handled independently and is not mixed with CRM credentials or permissions.
User-controlled: You can disable Calendly syncing at any time, which immediately stops new meeting imports.
Payments & In-App Support Integrations
In addition to data-sync integrations, SurgeTK uses a small number of trusted third-party services to handle payments and in-app support. These services are tightly scoped, security-reviewed, and allow-listed within our application.
Payments & Billing (Stripe)
SurgeTK uses Stripe to securely process subscription payments and billing.
How Stripe is secured:
No card data stored by SurgeTK: Payment information is collected and processed directly by Stripe. SurgeTK never sees or stores full credit card numbers.
Tokenized payment flow: Stripe returns short-lived, non-sensitive tokens to represent payment methods.
Encrypted transport: All payment activity occurs over encrypted HTTPS connections.
Allow-listed resources only: Stripe scripts and endpoints are allowed to load only where required for secure checkout and billing management.
Industry-standard compliance: Stripe maintains PCI-DSS compliance for payment processing.
In-App Support & Messaging (Intercom)
SurgeTK uses Intercom to provide secure in-app support, onboarding guidance, and account assistance.
How Intercom is secured:
Secure mode enabled: Intercom runs in secure mode, meaning SurgeTK generates a signed, time-limited identity token so Intercom can verify the user without accessing passwords or session cookies.
No credential sharing: Intercom never receives your SurgeTK password or authentication secrets.
Scoped data exposure: Only basic account and workspace identifiers are shared so support can assist you effectively.
Allow-listed loading: Intercom is one of a very small number of third-party services permitted to load inside the SurgeTK application.
Third-Party Content Policy
Blocked by default: SurgeTK blocks third-party scripts, frames, and resources unless they are explicitly approved.
Short allow-list: Only vetted providers (including Stripe and Intercom) are permitted to load, and only in the contexts where they are required.
Ongoing review: We periodically review third-party integrations to ensure they continue to meet our security and privacy standards.
Frequently Asked Questions
Do you require 2FA?
Yes. After your first access, 2FA is enforced for ongoing sign‑ins to help protect your account.
Are my files private?
Yes. Files are private by default, encrypted at rest in Amazon S3, and accessed via short‑lived links. Only basic profile photos and logos are public, and only in a limited folder.
Is the database open to the internet?
No. The database is reachable only from approved locations and over encrypted connections.
How do you prevent automated attacks?
We limit login, 2FA, and code‑verification attempts and treat excessive attempts as high‑severity events.
Which vendors do you use?
We use Heroku (hosting), MongoDB Atlas (database), Amazon S3 (file storage), Stripe (payments), and Intercom (support). Only these and similarly vetted services are allowed to load within our app.
How can I contact support about security?
Use the in‑app chat (Intercom) from within SurgeTK, and we’ll route your message to the right place.
Summary
SurgeTK applies layered controls—secure sign‑in, encrypted connections, private storage with expiring access, restricted database networking, and a short list of trusted vendors—to keep your data safe without getting in your way. We review and improve these controls regularly, and we update this page as changes go live.