Your members' data, locked down and still yours
You're trusting us with names, contact info, SSNs, and ID-theft PINs for the people who run into burning buildings. We treat that the way it deserves: encrypted at rest, behind modern sign-in, fully audited — and exportable any time you ask. No lock-in.
The four questions every chief asks
Sensitive columns are encrypted with an application key separate from the database. A stolen DB backup is unreadable.
TOTP authenticator and WebAuthn passkey sign-in for every account from day one. Backup codes included. No upcharge.
Every action is logged with the actor's user id and a timestamp. You can see who changed what, and when.
CSV/JSON export anytime from the admin panel. Your data is yours, on the way in and the way out.
Encryption at rest
Member PII — names, emails, phone numbers, SSNs, and ID-theft PINs — isn't just sitting in plain database columns. The values themselves are encrypted with an application key kept separate from the database. That means even a stolen database dump is gibberish without the key, and the key never lives in the same place as the backups.
Access in the app is scoped by role and by department, so a training officer sees what a training officer needs and nothing more — and one department can never read another's records.
Two-factor & passkey sign-in
Every account can turn on TOTP two-factor (any authenticator app) and modern WebAuthn passkeys — phishing-resistant sign-in tied to the device, no password to steal. Backup codes are there for the chief who locks themselves out of a new phone. None of this is a paid tier; it ships with every plan, on by default for the people who want it.
Audit trail & NFPA 1851 lifecycle records
Every check, alert, hydro, and bunker-gear inspection is timestamped and attributed to the person who did it. That's not just good security hygiene — it's exactly the kind of inspection-ready recordkeeping NFPA 1851 expects for PPE lifecycle tracking. When the auditor shows up, you hand them a tablet that walks them through every record, not a banker's box of paper nobody can vouch for.
The same audit log answers the questions that come up after the fact: who marked the engine check complete, when the SCBA cylinder was last hydro-tested, and who edited a member's record.
Email from your own domain
Reminders, member invites, and agreements go out from events@yourdept.org — not
from us. Each department configures its own SMTP (or Mailgun) with SPF and DKIM aligned, so mail
lands in inboxes instead of spam folders and members never see "Firehouse 360" in their inbox. It's
your department's name on every message, and your domain's reputation that benefits.
Backups, uptime & getting your data out
The platform is backed up regularly so a bad day for a hard drive isn't a bad day for your records. And because no software runs forever for everyone, you're never trapped: members, certs, training hours, journal entries, and custom check templates all export as CSV or JSON on demand. If you ever decide to leave, we hand you everything and shake hands — no retention games, no export fee.
Have a specific compliance, retention, or insurance question? Ask us directly — a real person answers.
Need this in writing for your board or insurer?
Tell us what they're asking for and we'll get you the details you need to sign off.
Get in touch