1. Security program overview
Rudd Enterprises, LLC operates WrenchDay using layered application, account, payment, release, and provider controls designed to protect shop operations, customer and vehicle records, repair orders, invoices, payment metadata, communications, and employee access.
The security program is risk-based and evolves with the service. This statement describes current control categories without claiming a certification or guaranteeing that every threat can be prevented.
2. Access controls
WrenchDay separates shop-owner, invited-employee, mechanic, platform-administration, public-customer, and internal-API access. Private routes require authenticated context. Server-side APIs derive the organization and role from the authenticated session and enforce tenant, role, feature, and plan boundaries for the requested operation.
Free Starter and paid accounts use the same authentication and tenant-boundary controls for workflows available to their plan. Plan limits and paywalls determine entitlement; they do not replace authentication or authorization.
Customers are responsible for using strong passwords, protecting devices, managing invited users, removing former staff, and limiting mechanic access to appropriate users.
3. Tenant isolation and payment protections
Shop data access is scoped by shop identity in server-side queries. State-changing operations are subject to authenticated permissions and applicable origin, version, and input-validation controls. Public estimate, authorization, invoice, and payment workflows use purpose-specific identifiers or tokens and server-side validation.
Stripe webhooks use signature verification. Customer invoice payment status is confirmed through server-side Stripe checks that validate invoice identity, amount, currency, and connected-account context before the platform records the invoice as paid.
4. Engineering and provider controls
WrenchDay uses code review and automated quality checks appropriate to the release, validates supported API inputs, verifies signed provider callbacks where applicable, and monitors operational or security-relevant events. Recovery and continuity controls are maintained through the applicable infrastructure and service providers.
WrenchDay relies on providers for database, authentication, storage, email, SMS, voice, payments, AI, hosting, analytics, monitoring, mobile delivery, and related functions. Providers maintain their own infrastructure controls and receive data according to the enabled service and published Subprocessor List.
Customers must limit sensitive data to what is needed for repair-shop operations and must not place passwords, complete payment-card data, or unrelated sensitive information in notes, messages, photos, or templates.
5. Incident response
Suspected security incidents can be reported to hello@wrenchday.com. WrenchDay investigates credible reports, takes reasonable containment and remediation measures, preserves relevant operational information, and notifies affected customers or regulators where required by applicable law or agreement.
This Security Statement is a summary and does not create a separate warranty, certification, or service-level commitment unless included in a signed agreement.
6. Customer security responsibilities
Customers are responsible for their devices, networks, employee access decisions, third-party integrations, exported data, local files, and the accuracy of destination phone numbers and email addresses. Customers must promptly revoke access for former personnel and report suspected credential compromise.
Security questions and responsible vulnerability reports can be sent to hello@wrenchday.com. Testing, scanning, or attempting to access another customer’s data requires prior written authorization as described in the Acceptable Use Policy.
Questions about this document
Contact Rudd Enterprises, LLC, doing business as WrenchDay, at hello@wrenchday.com or use the WrenchDay support form.
