Gotlan

Security & Trust

Your money, your data, your files, protected by design

Gotlan is built so the sensitive parts of your business stay yours. Here is exactly how, with the specific controls in place and no vague badges.

How we protect you

Payments handled by Stripe

Card details are processed entirely by Stripe, a PCI-DSS Level 1 provider, and never touch Gotlan's servers. A booking only authorizes a hold. The card is charged when the vendor accepts.

Your media stays in your storage

You connect your own Dropbox. Finished files land in your account, in folders you control. Gotlan never holds your full-resolution library, and you can revoke access any time.

Strict tenant isolation

Every order, client, and file is scoped to your team. Access is checked on the server for every action, so there is no path for one account to read another's data.

Hardened infrastructure

Authentication runs on Clerk. Traffic is encrypted in transit, and the database is encrypted at rest with point-in-time backups. Errors are monitored with secret-leak prevention.

Security in the pipeline

Every code change is scanned for leaked secrets and vulnerable dependencies before it ships. Sensitive endpoints are rate-limited to blunt abuse and brute-force attempts.

Your work never leaves your control

Most platforms upload your finished photos and video to their own servers, then hold them behind a monthly storage fee. Gotlan does not host your bulk media at all.

You own the storage

Connect Dropbox once. Deliverables upload straight to your account, so Gotlan is never the custodian of your bulk media.

We keep only what runs the marketplace

Portfolio thumbnails, order metadata, and delivery-page templates. Never your full-resolution shoots.

Leave with everything

Disconnect whenever you want. Your files are already in your own cloud, so there is nothing to export and nothing held back.

Checked before every release

Security here is not a one-time audit. Our automated checks run before each release ships:

  • Role-based access rules audited against an explicit allowlist
  • Tenant-isolation tests that prove no query crosses team boundaries
  • Production destructive-action gates verified active
  • Marketplace endpoints checked to leak no private keys
  • A full role-based-access integration suite run end to end

Free CRM. Your data, your files, your terms.

Create your free account

Free CRM. No credit card. Keep your own clients at 0%.