We take security seriously. And it’s not just a statement, but a way we plan, develop and deliver our product. 

Infrastructure Security

Shifton’s services and data are hosted in EU region


All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests getting to our internal network.

Permissions and Authentication

Access to customer data is limited to authorised employees who require it for their job.


All data encrypted on transfer with high grade encryption. All endpoints, either Interfaces or APIs limited to HTTPS access. We enforce best practices like use of TLS 1.3, HSTS and CAA, always receiving best result at Qualys SSL labs test

Incident Response

We implement a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem.

Disaster Recovery, Back Ups and Monitoring

We have a multi-region recovery and failover deployment, assuring customer data safety and high availability. We monitor all system components and effectively respond to issues that arise. 

Product security features


Shifton support OpenID-based SSO for two most popular providers


Shifton implements a sophisticated RBAC system and has multiple built-in roles available for all customers. Combined with multi-level hierarchy, it allows setting app different fine-grained access levels.


All passwords pass one way hashing with bcrypt library and never stored plain text. 

Enterprise features

Enterprise customers may be eligible for additional security features, among them

Employee security commitment


We have strict clear policies related to security and privacy. All employees pass training to be familiar and up to date with all changes. 


All employee contracts include a confidentiality agreement.


As any modern SaaS product we use other platforms to implement some features. None of those products and services have access to customer data, beyond minimal amount required for functionality


We use Stripe as our payment processor. Details about their security and PCI compliance can be found at Stripe’s security page.


We use Intercom for a Live Chat on our website and app. To learn more about their security and compliance please visit Intercom’s Security page


Used for SSO (Entra ID) and  website analytics 


Used for website analytics, SSO, push notifications delivery, Maps platform and other features