Trust Center
Last updated: June 23, 2026
Inventifornia is operational inventory software — supplies, equipment, PPE, grant-coded materials, and field deployments. It is designed for government departments, public health programs, and organizations that need audit-ready accountability without a six-month IT project.
This Trust Center pre-answers the security and compliance questions your IT, legal, and procurement teams ask during review. For operational inventory use cases (no protected health information), most buyers complete review using these documents alone.
Operational inventory — not a clinical system
Inventifornia does not offer HIPAA Business Associate Agreements and is not intended for protected health information (PHI), patient identifiers, or clinical records. See our Operational Data Boundary for permitted uses and contractual prohibitions.
Infrastructure
Built on Cloudflare's SOC 2 Type II–certified platform (Workers, D1, R2, KV). Inventifornia is the application layer; Cloudflare is the infrastructure provider.
Breach notice
We notify affected Customers within 72 hours of confirming a breach involving Customer data. Details in our Incident Response plan.
Data export
30-day post-termination export window; deletion from active systems within 90 days. See Data Retention.
Application security controls
- ✓JWT authentication with 30-minute access tokens and HttpOnly session cookies
- ✓Role-based access control (RBAC) enforced on every API route
- ✓Multi-tenant isolation — Customer data scoped by organization
- ✓TLS encryption in transit; Cloudflare D1 and R2 encryption at rest
- ✓CSRF protection on mutating API requests in production
- ✓Rate limiting on authentication and API endpoints
- ✓Append-only audit trail with permission-gated CSV export
- ✓Password hashing (PBKDF2-SHA256); optional reCAPTCHA v3 on login/register
Documentation for your review
Operational Data Boundary
Required readingInventifornia is for operational inventory only — not PHI, clinical records, or patient identifiers. Contractual scope and prohibited uses.
Subprocessors
ProcurementThird parties that process Customer data, with locations, purposes, and 30-day advance change notification.
Data Processing Addendum (template)
LegalStandard DPA for government and enterprise buyers — roles, security measures, breach notice, and deletion.
Incident Response & Breach Notification
SecurityHow we detect, contain, and notify Customers of security incidents — including a 72-hour breach notification commitment.
Data Retention & Deletion
ComplianceConcrete retention periods for active accounts, post-termination export windows, audit logs, and backups.
Backup & Restore
OperationsDatabase backup approach, recovery targets, and last successful restore test date.
Also available on request
- Completed security questionnaire (SIG Lite / CA Standard Contract alignment)
- Architecture diagram with data-flow description
- Penetration test executive summary (when available)
- Certificate of insurance (cyber liability, upon request)
- SSO/SAML — available when required by signed contract (not included in standard plans)
Security & procurement inquiries
Email security@inventifornia.com with your agency name and review deadline. We typically respond within two business days.
Trust CenterTerms & ConditionsPrivacy PolicyCookie PolicyAcceptable Use PolicyOperational Data BoundaryData Processing Addendum