Security at Morton Command Center

Security isn’t a checkbox for MortonApps LLC — every Morton Command Center deployment touches your tenants’ ticket data, billing records, and security alerts. The platform is designed around three principles: your data stays in your tools, least-privilege access by default, and edge-deployed infrastructure with no warehouse to breach.

This page summarizes the technical and operational controls we use. For per-customer specifics, our Data Processing Addendum (DPA) and Master Services Agreement (MSA) accompany every engagement.

Architecture & data residency

Morton Command Center is built on Cloudflare’s global edge network. Each customer instance is deployed as an isolated Cloudflare Pages project with its own dedicated KV namespace, R2 bucket, and Workers — there is no shared multi-tenant database. Your customizations, settings, and cache live only in the resources scoped to your deployment.

Your business data stays in your tools. Command Center reads from your existing PSA, RMM, accounting system, and security stack via API and renders unified views. We do not warehouse a primary copy of your data. If you ever stop using Command Center, your historical records remain exactly where they always lived.

Encryption

• In transit: All traffic to and from the platform uses TLS 1.2 or higher. HTTP requests are automatically upgraded to HTTPS at the edge. HSTS is enforced.
• At rest: All persistent storage (Cloudflare KV, R2, D1) is encrypted at rest by the platform provider using industry-standard algorithms. Per-agent secrets (vendor API tokens, OAuth refresh tokens) are additionally encrypted with a tenant-specific key before being stored.
• Vendor credentials: When you connect a third-party tool (Freshdesk, NinjaOne, QuickBooks, etc.), the credentials are stored as encrypted secrets and used only to call the vendor on your behalf. They are never logged or returned in client-facing responses.

Authentication & access control

• Identity: Authentication is handled by Clerk, a SOC 2 Type II certified identity provider. Each Command Center instance runs its own Clerk application with restricted-mode sign-up — only pre-provisioned email addresses can sign in.
• Multi-factor authentication: Supported via Clerk for all users. Enforceable per-organization.
• Single sign-on: SAML and OIDC SSO available for customers with their own identity provider.
• Role-based access control: Built-in roles (Owner, Administrator, Manager, Finance, Technician, Sales, Read-Only) gate access to every page and API endpoint. Per-permission overrides are configurable per user.
• Per-company scoping: Technicians can be restricted to a subset of companies and groups. Restrictions are enforced server-side, not just hidden in the UI.
• Cloudflare Access integration: For deployments that require an additional pre-authentication layer (e.g. corporate IP allowlisting, hardware key enforcement), Cloudflare Access can be enabled in front of the entire dashboard.

Audit logging

Every administrative action — sign-in, role change, configuration update, integration connect/disconnect, ticket modification — is recorded to a tenant-scoped audit log. Logs are retained for at least 30 days and made available to Administrators through the dashboard. Customers can request longer retention or export under their MSA.

Infrastructure security

• Edge-deployed: The platform runs on Cloudflare’s global edge network with built-in DDoS protection, WAF, and bot management. There is no traditional origin server to attack.
• Network isolation: Each customer instance has its own KV namespace, R2 bucket, and Workers project. Cross-tenant data access is impossible at the infrastructure level.
• No customer-side agent: Command Center does not require an agent installed on customer endpoints or behind your firewall. All connectivity is outbound from the platform to your existing vendor APIs over TLS.
• Content Security Policy: Strict CSP headers are applied to every dashboard response, blocking inline scripts from untrusted origins.
• Secrets management: Build-time and runtime secrets are stored as encrypted Cloudflare Pages environment variables. Per-agent secrets (vendor OAuth tokens, personal API keys) are encrypted with a tenant-specific key before storage and only decrypted at the moment of an outbound API call on the agent’s behalf.

Vendor & subprocessor management

We use a deliberately small set of carefully chosen subprocessors. The current list, scope, and locations are published in our Privacy Policy. Notable certifications:

• Cloudflare — SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS Level 1, FedRAMP Moderate
• Clerk — SOC 2 Type II
• Amazon Web Services (SES) — SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA-eligible

Material changes affecting customer data processing trigger advance notice in accordance with the DPA.

Software development lifecycle

• Code review: All changes are reviewed before deployment. Production deploys are auditable through git history.
• Dependency hygiene: Third-party dependencies are pinned and regularly reviewed for known vulnerabilities.
• Testing: Critical paths (authentication, billing logic, data isolation) are exercised before each release.
• Edge deploys: Releases are deployed atomically to Cloudflare’s edge with versioned cache-busting filenames. Stale-tab detection ensures users pick up new versions on next page load without disrupting active sessions.

Incident response

If we detect or are notified of a security incident affecting customer data, we will:

1. Contain and investigate the incident promptly
2. Notify affected customers without undue delay (and within timelines required by applicable law and the DPA)
3. Provide a written post-incident summary describing the cause, impact, and remediation
4. Implement corrective measures to reduce the risk of recurrence

Customers can report a suspected vulnerability or incident at any time to [email protected].

Responsible disclosure

We welcome reports from security researchers. If you believe you’ve found a vulnerability in Morton Command Center or the website, please email [email protected] with the details and a way to reproduce. We commit to:

• Acknowledging your report within 5 business days
• Investigating in good faith
• Not pursuing legal action against researchers who report in good faith and avoid privacy violations, service disruption, or destruction of data
• Crediting researchers (with permission) in a future advisory or hall of fame

Compliance posture

Morton Command Center inherits compliance certifications from its underlying platform providers (Cloudflare, Clerk, AWS — all SOC 2 Type II at minimum). Direct certification of MortonApps as an organization is on our roadmap as we scale; in the interim, we contractually align to SOC 2 control objectives and can support customer-led security questionnaires.

For customers in regulated industries (healthcare, financial services), the DPA addresses the relevant legal frameworks. We can sign Business Associate Agreements (BAAs) for HIPAA-covered customers on a case-by-case basis.

Customer responsibilities

Security is a shared responsibility. Your part includes:

• Provisioning user accounts only for personnel who need access
• Enforcing multi-factor authentication for your team
• Choosing strong, role-appropriate scope for technician accounts
• Rotating any vendor credentials you suspect of being compromised
• Notifying us promptly of personnel departures so we can revoke access
• Following the acceptable-use rules in our Terms of Service

Questions or due diligence

For prospective customers conducting security due diligence — including completing a security questionnaire, reviewing our DPA, or arranging a call with our team — please email [email protected].