Security at Backfill

Your books contain some of the most sensitive data in your business. We treat that seriously.

Authentication

We use a dedicated third-party authentication provider — we never see or store your password.

  • Magic link and OAuth login — sign in via email link or your Google/Microsoft account
  • Multi-factor authentication — available for all accounts
  • Session management — sessions are validated on every request and can be revoked instantly on logout

Tenant Isolation

Every Backfill company is a fully isolated tenant. Isolation is enforced at the database level, not just the application layer. There is no code path that can accidentally return another tenant’s data — queries without a valid tenant context fail by default.

Encryption

In transit: All connections to Backfill are encrypted via TLS.

At rest: Sensitive credentials are encrypted using AES-256-GCM.

  • Connector credentials (OAuth tokens, API keys, webhook secrets) are encrypted before being stored
  • API client secrets are encrypted at rest
  • Encryption keys are managed separately from the database

API Security

Backfill’s API uses signed request authentication.

  • Every request is signed with your API secret and verified using constant-time comparison
  • Requests include a timestamp — we reject anything older than 5 minutes to prevent replay attacks
  • API credentials are cryptographically generated

Webhook Security

Inbound webhooks are verified before processing.

  • Signature verification — every webhook is verified against your connection’s secret
  • Replay protection — timestamp validation rejects stale events
  • Idempotent processing — duplicate events are deduplicated and processed exactly once

Audit Logging

Administrative actions are logged with actor, action, target, and IP address. Credential rotations are timestamped. Sensitive values (passwords, tokens, secrets) are automatically redacted from all logs.

Credential Management

Connector credentials are encrypted at rest with support for rotation.

  • Each credential is scoped to a specific tenant and connection
  • Rotation creates a new credential and timestamps the old one — nothing is silently overwritten
  • Revoked credentials are marked, not deleted

Questions

Security questions or vulnerability reports: security@backfill.io

We're onboarding design partners directly. Tell us a bit about your setup and we'll reach out.