A spin-off of BedFlow, by Solvhaus
Roll CallRoll CallHouse Management
Trust and security

Built for the sensitive work of recovery housing.

Roll Call holds resident records, incident notes, and house operations. This page describes the controls we have in place today and how we handle your data.

This page is maintained by the Roll Call team as editable project content. It is not a third-party certification or independent audit.

Access and authentication

  • Email and password sign-in, with optional Google single sign-on.
  • Role-based access: Directors, House Managers, and Staff each see only what their role permits.
  • House Managers are scoped to their assigned house; cross-house data is not exposed in the UI or API.
  • Sessions are managed by our auth provider and can be revoked by signing out.

Data protection

  • All traffic between your browser and Roll Call is encrypted over HTTPS.
  • Row-level security policies are enforced in the database for every customer-facing table.
  • Resident photos, incident photos, and incident attachments live in private storage buckets with signed, short-lived download URLs.
  • Service-role keys and webhook secrets are kept server-side and never shipped to the browser.

Hosting and infrastructure

  • Application code runs on Cloudflare's edge network.
  • Database, authentication, and storage are provided by Supabase (Postgres).
  • Email delivery uses Resend; calendar booking uses Calendly.
  • We do not self-host the database or run on personal infrastructure.

Data handling

  • We collect only the fields required to operate the workflows you use: residents, beds, incidents, chores, rent, meetings, and house notes.
  • Audit logs record who changed what and when across the major record types.
  • On request, your organization's data can be exported as CSV or deleted.
  • Specific retention windows, data processing agreements, and subprocessor commitments are available on request.
Shared responsibility

Security is a partnership.

Platform

Encrypted transport, managed database, managed auth, and private file storage provided by our hosting and backend providers.

Roll Call

Role-based access, row-level security policies, private buckets, audit logging, and least-privilege server functions.

Your team

Strong passwords, prompt removal of departing staff, and assigning each user the narrowest role they need to do their job.

Contact

Reporting a concern.

To report a suspected security issue, request a data export or deletion, or ask for our current subprocessor list, contact the Roll Call team. We aim to acknowledge security reports within two business days.

support@rollcallhm.com

Roll Call does not currently advertise SOC 2, HIPAA, ISO 27001, or other formal certifications. If your organization needs a signed DPA, BAA, or vendor questionnaire, reach out and we will work through it with you.

Back to home