Security packet

ServiceTitan security, privacy, and consent packet.

Customer-safe policy language for selling the manual ServiceTitan-ready product now while keeping credentials, tenant access, webhooks, and live sync blocked until consent, storage, deletion, and sandbox evidence exist.

Packet controls
5
policies
4
data rules
4
gates
4
ready now
3
database gated
4
API/partner gated
No ServiceTitan credentials, app keys, tokens, tenant secrets, or admin logins are collected in the offline product.

Claim boundaries

No ServiceTitan credentials, app keys, tokens, tenant secrets, or admin logins are collected in the offline product.
No ServiceTitan API calls, webhooks, booking writes, pricebook writes, or live revenue attribution are claimed before approved access exists.
Customer-provided exports and screenshots are optional review artifacts and should be redacted before sharing.
Future API mode requires customer authorization, eligible ServiceTitan products/modules, granted scopes, encrypted token references, disconnect, deletion, audit logs, and sandbox validation.

Policy sections

No-credential operating mode

Owner: PageToJob

ready now

Current: The current product works from manual intake, customer-reviewed mappings, optional exports, and demo data.

Future API mode: Accept tenant access only after approved app access, customer authorization, encrypted token references, rotation, disconnect, deletion, and audit logging are implemented.

A customer can evaluate and buy the manual website layer without handing over ServiceTitan credentials.
implementationapi-readinesssandbox-validation

Data minimization and redaction

Owner: Shared

ready now

Current: Collect only the inputs needed to map pages, services, zones, offers, campaigns, and booking fallback rules. Redact screenshots and exports before review when possible.

Future API mode: Request only the minimum scopes required by the purchased feature and keep imported taxonomy read-only until customer review.

Public website work is driven by reviewed operating context, not broad tenant access.
intakeconnectionmarketplace

Lead safety and fallback handling

Owner: PageToJob

ready now

Current: Website form submissions continue through the PageToJob lead path and notification fallback when ServiceTitan is unavailable or not connected.

Future API mode: Persist booking requests, idempotency keys, retry status, external IDs, and operator-visible failure states before enabling automated sync.

A visitor lead should not be lost because ServiceTitan access is missing, revoked, or unavailable.
handoffsync-queuesupport

Retention, deletion, and disconnect

Owner: Shared

database gated

Current: Manual artifacts are retained only while needed for the customer account, review cycle, or requested proof packet. ServiceTitan credentials have no retention because they are not collected.

Future API mode: Database-backed deletion proof, token revocation, encrypted reference removal, disconnect logs, and account-level retention controls must exist before API-backed features are sold.

Deletion and redaction requests have a support path now, with stricter automated proof required before live tenant access.
implementationsupportarchitecture

Security and claim review before launch

Owner: Shared

customer required

Current: Sales and launch materials separate manual deliverables from marketplace approval, certified app status, live sync, webhooks, and revenue attribution.

Future API mode: API-backed copy must be updated only after sandbox validation, customer approval, module eligibility, and granted scopes are verified.

PageToJob will not represent manual work as a live ServiceTitan integration.
sales-kitlaunch-packetvalidation

Data rules

Lead and contact details

high sensitivity

Collected now: Collected through the existing website lead path for customer notification.

Retention: Retain while the customer account is active or until deletion is requested.

Deletion: Delete or anonymize the lead record and related booking context after a verified request.

Do not send lead/contact data to ServiceTitan until customer authorization and approved CRM scopes exist.

Booking context and source data

moderate sensitivity

Collected now: Source URL, UTM fields, requested service, urgency, preferred time, Titan Map binding, and review status.

Retention: Retain with operational proof while the customer account is active.

Deletion: Delete or anonymize with the related lead/account event history when requested.

Requires persisted idempotency, retry, external ID, and disconnect behavior before automated sync.

Customer-supplied exports, screenshots, and Titan Map inputs

moderate sensitivity

Collected now: Optional artifacts provided by the customer for intake, drift review, launch proof, or outcome review.

Retention: Retain only for the review cycle unless the customer asks PageToJob to preserve the proof packet.

Deletion: Redact shared materials and remove source artifacts at the end of review, cancellation, or verified deletion request.

Replace repeated export handling with approved read-only API access only after scope and retention review.

ServiceTitan credentials, tokens, app keys, and tenant secrets

high sensitivity

Collected now: Not collected, requested, stored, pasted into forms, or accepted by the offline product.

Retention: No retention before API approval because there is nothing to store.

Deletion: Future disconnect must revoke tokens, remove encrypted references, disable API features, and leave an audit trail.

Requires encrypted storage design, rotation, revocation, deletion proof, and sandbox validation before live use.

Consent artifacts

Manual intake and artifact redaction signoff

Owner: Shared

ready now

When needed: Before onboarding, customer audit, or manual Titan Map build.

Not a ServiceTitan admin authorization and not permission to use live tenant APIs.

ServiceTitan admin authorization

Owner: Customer

api gated

When needed: Before any tenant connection, granted scopes, webhook setup, or API-backed sync.

No admin approval is requested in the offline product.

Feature-specific scope approval

Owner: Shared

partner gated

When needed: Before selling automated imports, booking handoff, webhooks, or outcome matching.

Minimum scope requests still depend on app review, customer eligibility, and purchased modules.

Deletion and disconnect request proof

Owner: PageToJob

database gated

When needed: When a customer requests artifact deletion, account cancellation, API disconnect, or token revocation.

Manual support can handle requests now; automated database-backed proof is required before live API mode.

Review gates

Security review complete

customer required

Customer-facing policy language needs buyer and legal review before broad sales use.

Approved security packetNamed support ownerCustomer-safe deletion and redaction instructions

Encrypted token storage approved

database gated

The offline product has no credential storage and no token lifecycle implementation.

Encrypted token reference designRotation and revocation runbookDeletion audit trail

Partner/app review path confirmed

partner gated

Marketplace approval, app keys, granted scopes, and sandbox tenant access are not claimed.

Partner category decisionApproved scopesSandbox tenant validation

Sandbox validation passed

api gated

No approved sandbox tests have been run for token exchange, webhooks, sync retries, disconnect, deletion, or rate limits.

Token exchange proof without exposing secretsWebhook rejection casesDisconnect and deletion proofRate-limit behavior

Security disclaimers

  • - PageToJob is not affiliated with or endorsed by ServiceTitan.
  • - ServiceTitan is a trademark of its respective owner.
  • - This packet is product policy guidance, not legal advice.
  • - The current product does not connect to ServiceTitan, store ServiceTitan credentials, process webhooks, write bookings, sync pricebook records, or claim live revenue attribution.