This page exists because technical buyers read the source code of the privacy policies. Here is how MY LAURA actually protects your data, in plain language, without the word 'enterprise-grade' anywhere.
MY LAURA is hosted on Render (application layer) and Supabase (PostgreSQL database layer), both running in US-based data centers. Supabase is built on top of AWS us-east infrastructure. Your data never leaves the United States for hosting purposes.
The marketing site you're reading right now is hosted on Vercel, which serves static HTML from an edge CDN — but the marketing site doesn't touch any customer data. It's just HTML.
All data is encrypted in transit via TLS 1.2 or higher. All data at rest in the database is encrypted using AES-256. Backups are encrypted the same way. The only "at rest" data that isn't encrypted is public-facing marketing content (the pages on this site).
MY LAURA uses OAuth 2.0 and JSON Web Tokens for session management. Passwords are hashed with bcrypt (cost factor 12). Two-factor authentication is available for any account and required for team members with Admin roles.
When you connect MY LAURA to QuickBooks Online or Google Drive, the integration uses OAuth 2.0 with scope-limited permissions. We request the minimum scopes required for the feature to work. You can revoke access at any time from your integration settings.
You own your data. Full stop. MY LAURA has a limited license to host and display your content so the product works. That license terminates when you cancel. We do not:
You can export all your data at any time as CSV or JSON from the settings page. That includes estimates, invoices, change orders, projects, clients, trade partners, and reports. If you cancel MY LAURA, you get 30 days of read-only access to export everything before your account is deleted.
Your Google Drive files stay in your Drive — we never moved them to ours. Your QuickBooks data stays in QuickBooks. We built MY LAURA to be a tool you use, not a hostage situation.
MY LAURA has three built-in roles:
Team members only see what their role permits. Action logs track who did what, when, for audit purposes.
The production database is backed up continuously via Supabase's point-in-time recovery (PITR), with daily full snapshots retained for 30 days. In the event of a database failure, we can restore to any point within the last 30 days within 15 minutes.
If we discover a security incident that affects your data, we commit to:
We have never had a data breach. If that changes, you'll see it on this page and in your inbox within 72 hours.
MY LAURA relies on a small number of third-party services for critical infrastructure. Each one is chosen for its own security posture:
If you find a security vulnerability in MY LAURA, please email laura@getmylaura.com. We investigate every report, respond within 48 hours, and credit researchers who disclose responsibly.
We are a small team — it will be a real human (usually Laura) who reads your report, not a ticket queue.
Questions about security? Email laura@getmylaura.com. If you need a signed questionnaire for your enterprise procurement process, we can accommodate that — just ask.