Skip to content
Security

Security that holds shape.

Timelint is built for agency work: tickets, service desk, and client portal in one system. Security is part of that shape, not an afterthought.

  • Account-scoped data isolation.
  • Predictable permissions with clean edges.
  • Private attachments served through the app.
  • Audit trail for key ticket actions.
Start free Privacy policy
Timelint ticket detail view

Built on clear boundaries.

Most security failures are workflow failures. The system should make boundaries obvious.

Tenancy and access

Timelint is multi-tenant. Account membership gates access, and account-scoping is treated as mandatory across account-owned data.

  • Account-scoped routing and model binding.
  • Role-based access for team members.
  • Client access designed for the portal surface.
Operational hygiene

Security isn’t only code. It’s how the product behaves under pressure.

  1. 1
    Authentication

    Passwords are hashed, sessions are managed by the framework, and email verification is supported.

  2. 2
    Audit trail

    Key ticket actions create immutable audit events so changes stay traceable.

  3. 3
    Attachments

    Attachments are stored privately and served through authenticated routes. Portal downloads are scoped and validated.

Security highlights

A few concrete details that matter day to day.

Private by default

Attachments are stored on a private disk and served through the application.

Predictable permissions

Roles are designed with clean edges. Access should not require archaeology.

Client portal boundaries

Portal access is scoped to organisations/contacts and only exposes non-internal messages and attachments.

Encrypted secrets

External connection tokens are stored using encryption at rest at the application level.

Reduced data leakage

Search indexes are scoped by account to avoid cross-tenant results.

Least surprise

Workflow and audit are designed to keep changes legible, not hidden in configuration.

FAQ

Answers to common questions. Keyboard-friendly and accessible by default.

Do you store attachments privately? +
Yes. Attachments are stored privately and served through the app, with access checks.
Can clients see internal notes? +
No. The portal is designed to show non-internal messages and their attachments only.
Is data isolated per account? +
Yes. The app is multi-tenant and treats account scoping as mandatory for account-owned data.
Where can we ask security questions? +
Email security@codebased.co.uk. For privacy questions, email privacy@codebased.co.uk.

Keep the system coherent

Ticket-first workflow for agencies, with clean boundaries.

Start free Pricing