Early Access: 40% off on paid plans — limited spotsSee pricing →
PortalKitPortalKit
PlatformAboutBlogPricing
Log InGet Started

Security

Security you
can trust.

Last updated: 12 June 2026

Your data and your clients' data are protected by multiple independent security layers — from the database all the way to the browser.

How we protect your data

Defence in depth

We do not rely on a single security control. Every layer of the platform has independent protections so that a failure in one does not compromise the rest.

Encrypted everywhere

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. This applies to every file, message, and invoice stored on the platform — including database backups.

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • Encrypted database backups

No-password client access

Clients access their portals via time-limited, cryptographically signed tokens — not passwords. There are no client accounts to create, compromise, or forget.

  • HMAC-signed access tokens
  • 90-day expiry by default
  • Instant link revocation by freelancer

Row-level security

Every query is enforced by row-level security (RLS) policies at the database layer — not just at the application layer. Freelancers can only ever read and write their own data.

  • RLS on every table
  • Granular per-client permissions
  • Principle of least privilege enforced

Ongoing security review

We conduct internal security reviews before every major release and maintain a responsible disclosure programme for external researchers.

  • Pre-release security reviews
  • Responsible disclosure programme
  • Automated dependency scanning

Standards & compliance

Built to meet global standards

GDPR

Data processing agreements available for EU customers.

Compliant
CCPA

California privacy rights honoured for all users. We do not sell personal data.

Compliant
AU Privacy Act

Compliant with the Privacy Act 1988 (Cth) and Australian Privacy Principles.

Compliant
TLS 1.3

All platform connections use TLS 1.3. Older TLS versions are rejected.

Enforced
AES-256

Industry-standard encryption for all data at rest, including backups.

Enforced
SOC 2 Type II

We are actively working towards SOC 2 Type II certification.

Responsible disclosure

We welcome security researchers who responsibly disclose vulnerabilities. If you discover a security issue in PortalKit, email security@portalkit.com with a detailed description of the issue and steps to reproduce it.

We aim to acknowledge all reports within 48 hours and resolve confirmed vulnerabilities within 30 days. We ask that you avoid accessing user data beyond what is necessary to demonstrate the issue, and give us reasonable time to address it before public disclosure.

Data practices

We do not sell your data or your clients' data. Files, invoices, and messages you store on PortalKit are used solely to provide the Service. Our engineers access customer data only when necessary to diagnose a reported issue, and only with appropriate access controls in place.

For full details on how we handle personal information, see our Privacy Policy.

Questions about security?

Our team is happy to answer detailed security questions before you commit to any plan.

Contact usStart for free
TLS 1.3 encrypted
AES-256 at rest
GDPR compliant
PortalKitPortalKit

Built for freelancers.
Loved by clients.

Product

  • Platform
  • Pricing
  • Security

Company

  • About
  • Blog
  • Guides

Support

  • Contact
  • Leave a Feedback

© 2026 PortalKit. All rights reserved.

Privacy PolicyTerms of ServiceCookie Policy
In progress