🌲Sherwood

Security

Last updated: 2026-05-22

Sherwood stores your business records (invoices, clients, expenses, proposals). This page describes how we protect them.

In transit

Every connection to Sherwood is TLS 1.2 or higher. Browsers reject anything older. Our own services talk to each other over encrypted channels too.

At rest

Your database lives on Neon (Postgres, EU region). Disks are encrypted at rest. Backups are encrypted and live in the same region as the primary.

Receipts and logos live on Cloudflare R2 (S3-compatible object storage). Files are private by default. The public URL only resolves for files you intentionally publish (e.g. when you put a logo on an invoice).

Passwords and sessions

We don't store your password. Authentication runs through Clerk, which handles password hashing (bcrypt with salt), MFA, and session management. You can enable two-factor auth in your Clerk account at any time.

Payments

Stripe processes every payment. Card numbers never touch Sherwood's servers. We only see Stripe's customer reference and a record of which charges succeeded or failed.

API keys

If you bring your own AI key (BYOK on Studio), we store it in your subscription row. It's redacted from any log line that prints subscription data. We never share it with anyone, including support staff.

Access control

Production database access is limited to the founder. There is no support team, no contractor account, and no third party with routine read access. Administrative access is kept narrow and reviewed when infrastructure changes.

Backups

Neon provides automatic point-in-time recovery. We keep encrypted snapshots for 30 days. Account deletion is reflected in backups within 90 days as snapshots roll off.

Breach disclosure

If we discover unauthorized access to personal data, we'll investigate promptly, take steps to contain it, and notify affected users and regulators where required by law. Our goal is to explain what happened, what was exposed, and what we're doing about it as quickly and clearly as we can.

Responsible disclosure

Found a security issue? Email security@sherwood.camp. We'll acknowledge within 48 hours and fix anything material before publicly discussing it. No bug bounty program at launch, but we'll publicly credit anyone who reports a real issue in good faith.

What we don't claim

No SOC 2. No ISO 27001. No HIPAA. Those certifications are months of paperwork and serious money, and Sherwood is built by one person. We aim for the same security practices you'd expect from any small modern SaaS: TLS, encryption at rest, hashed passwords, least-privilege access, automated backups. If you need a vendor with audited certifications, Sherwood isn't yet the right fit.

Contact

Security questions: security@sherwood.camp. General privacy: hello@sherwood.camp. We read everything.