What makes your cleaning organic or green?

We only use third-party certified products from EPA Safer Choice and Green Seal partners. No chlorine, ammonia, synthetic fragrances, or petroleum-derived surfactants. Every ingredient list is available on request.

Are your products safe for children and pets?

Absolutely. Our plant-powered formulas are non-toxic, biodegradable, and hypoallergenic. We also avoid aerosol sprays to protect sensitive lungs and paw pads.

Do I need to be home or prepare before you arrive?

We simply ask that surfaces are tidy so we can focus on detailed cleaning. You're welcome to be home, leave us access instructions, or let our bonded crew lock up when finished.

What if I'm not satisfied with the clean?

Your satisfaction is guaranteed. If something feels off, contact us within 24 hours and we'll revisit promptly to make it right—no additional charge.

How much does house cleaning cost in Sarasota?

Our organic house cleaning starts at $149 for a standard clean. Pricing depends on home size, condition, and frequency. Weekly customers save up to 22%. Get an instant quote on our website in 60 seconds.

Is organic cleaning as effective as chemical cleaning?

Yes — our EPA Safer Choice certified products are equally effective against bacteria, viruses, and grime. The difference is they're plant-based, non-toxic, and safe for children, pets, and the environment.

Do you bring your own cleaning supplies?

Yes, we bring all supplies and equipment. Our products are 100% organic, plant-based, and EPA Safer Choice certified. Nothing toxic ever enters your home.

How do I book a cleaning in Sarasota?

Visit our website and get an instant quote in 60 seconds. Choose your service type, pick a time slot, and you're confirmed. No phone calls needed — though we're always available at (941) 271-7948.

Do you offer commercial office cleaning in Sarasota?

Yes, we provide organic commercial cleaning for offices, medical facilities, retail spaces, and condominiums throughout the Sarasota-Bradenton area. Contact us for a custom commercial quote.

Are your cleaners background checked?

Yes, every Go Green team member is fully background checked, bonded, and insured. We take the safety and security of your home seriously.

What areas do you serve near Sarasota?

We serve Sarasota, Bradenton, Lakewood Ranch, Venice, Siesta Key, Longboat Key, Osprey, Nokomis, and surrounding Gulf Coast communities.

Can I reschedule or cancel my cleaning?

Yes, you can reschedule or cancel directly from your customer portal or by texting us. We ask for 24 hours notice to avoid a cancellation fee.

Do you offer deep cleaning services?

Yes, our Deep Refresh service covers baseboards, inside appliances, detailed bathrooms, window tracks, and every corner. Perfect between seasons or before/after moving.

How do I pay for my cleaning?

We accept all major credit cards, debit cards, and digital payments through our secure online portal. Payment is processed automatically after your cleaning is complete.

Security Posture | Go Green Organic Clean

1. Overview

Our platform is a Next.js 15 application hosted on Railway with a managed PostgreSQL database, fronted by Cloudflare for DNS, TLS, and DDoS protection. Data flows are designed on least-privilege, defense-in-depth, and zero-trust principles.

2. Encryption at rest & in transit

At rest. PostgreSQL database volumes on Railway use provider-managed encryption (AES-256). Object storage encrypts at rest. Database backups are encrypted.
In transit. TLS 1.3 everywhere — public site, portals, and internal service-to-service hops. HSTS with 1-year max-age is set and we maintain eligibility for the Chromium HSTS preload list.
Secrets. API keys and signing secrets live in environment variables scoped per environment. No secrets in source control. Rotation cadence: 90 days for high-privilege keys.

3. Authentication & passwords

Passwords are hashed with bcrypt (cost 12). No plaintext is ever written to logs or DB.
Signup enforces a minimum 10-character password and checks against the Have I Been Pwned (HIBP) Pwned Passwords k- anonymity API. Breached passwords are rejected.
Lockout: 10 failed attempts trigger a 15-minute timeout with exponential backoff thereafter.
Multi-factor authentication is available for admin and manager roles; required for the owner.

4. Session tokens & cookies

Session cookies are HttpOnly, SameSite=Lax, and Secure.
Session tokens are JWT (via jose) signed with HS256 and rotated on role elevation.
CSRF defense-in-depth: SameSite + per-origin checks on state-changing requests.
See the Cookie Policy for the full list of cookies we set.

5. HTTP security headers

Content-Security-Policy (strict script-src, no unsafe-inline in production).
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
X-Frame-Options: DENY (supplemented by CSP frame-ancestors).
X-Content-Type-Options: nosniff.
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy restricting camera, microphone, and geolocation to the portals that need them.

6. Principle-of-least-privilege IAM

Roles: HQ, MANAGER, CLEANER, CUSTOMER — enforced at middleware and API layers.
Multi-tenant isolation via tenant-slug scoping on every DB query.
Production database credentials are scoped read-write only for application roles; admin credentials are separate and seldom used.
Cloud-console access is gated by SSO and MFA.

7. Audit log

Every admin action that changes customer data, access, or financials is written to an immutable audit log with actor ID, action verb, target, tenant, and metadata. We retain audit logs for 7 years.

8. Vulnerability disclosure

If you believe you have found a security vulnerability, please email security@gogreenorganicclean.com. Encrypt sensitive details with our PGP key [verify key to publish]. Please provide:

A description of the issue, affected URL, and reproduction steps.
Screenshots, videos, or proof-of-concept (do not attack other users' data).
Your contact preference for coordination.

We acknowledge within 3 business days and commit to a status update every 7 business days until the issue is closed.

9. Bug bounty

We offer a good-faith bounty, at our discretion, for eligible disclosures. Researcher must have complied with responsible disclosure (no public posting before remediation, no social engineering of our staff, no denial-of-service testing). Bounties typically range from $50 to $1,000 depending on severity. Safe-harbor terms are negotiated in advance.

10. Incident response

Detect — automated alerts on error rates, login anomalies, DB latency, audit-log triggers.
Triage — on-call owner + ops within 60 minutes of detection.
Contain — isolate affected subsystem, rotate keys, revoke sessions.
Eradicate — patch, redeploy, verify.
Recover — restore normal operations with elevated monitoring.
Notify affected customers within 4 hours of confirmed impact, regulators as required under applicable law (72 hours for GDPR, in line with Fla. Stat. § 501.171 for US breach notifications).
Postmortem — blameless root-cause, published internally.

11. Penetration testing

We conduct annual third-party penetration testing of the web application and supporting infrastructure. Vendor: [TBD — verify and retain annually]. Executive summary available to enterprise customers under NDA.

12. Watermarked customer photos

Before/after photos uploaded by cleaners are watermarked in metadata (EXIF) with cleaner ID, tenant, job ID, and timestamp — not visibly, so we can later prove chain-of-custody if a photo is disputed. We do not publicly post customer-property photos without written consent.

13. NCNDA for corporate clients

Commercial and HOA customers that require a mutual Non-Circumvention / Non-Disclosure Agreement may request one at legal@gogreenorganicclean.com. Our standard NCNDA is ready to countersign within 3 business days.

14. Contact security

Security contact: security@gogreenorganicclean.com (human-read mailbox — create / monitor). See also our machine-readable security.txt at the well-known path per RFC 9116.

1. Overview

2. Encryption at rest & in transit

At rest. PostgreSQL database volumes on Railway use provider-managed encryption (AES-256). Object storage encrypts at rest. Database backups are encrypted.
In transit. TLS 1.3 everywhere — public site, portals, and internal service-to-service hops. HSTS with 1-year max-age is set and we maintain eligibility for the Chromium HSTS preload list.
Secrets. API keys and signing secrets live in environment variables scoped per environment. No secrets in source control. Rotation cadence: 90 days for high-privilege keys.

3. Authentication & passwords

Passwords are hashed with bcrypt (cost 12). No plaintext is ever written to logs or DB.
Signup enforces a minimum 10-character password and checks against the Have I Been Pwned (HIBP) Pwned Passwords k- anonymity API. Breached passwords are rejected.
Lockout: 10 failed attempts trigger a 15-minute timeout with exponential backoff thereafter.
Multi-factor authentication is available for admin and manager roles; required for the owner.

4. Session tokens & cookies

Session cookies are HttpOnly, SameSite=Lax, and Secure.
Session tokens are JWT (via jose) signed with HS256 and rotated on role elevation.
CSRF defense-in-depth: SameSite + per-origin checks on state-changing requests.
See the Cookie Policy for the full list of cookies we set.

5. HTTP security headers

Content-Security-Policy (strict script-src, no unsafe-inline in production).
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
X-Frame-Options: DENY (supplemented by CSP frame-ancestors).
X-Content-Type-Options: nosniff.
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy restricting camera, microphone, and geolocation to the portals that need them.

6. Principle-of-least-privilege IAM

Roles: HQ, MANAGER, CLEANER, CUSTOMER — enforced at middleware and API layers.
Multi-tenant isolation via tenant-slug scoping on every DB query.
Production database credentials are scoped read-write only for application roles; admin credentials are separate and seldom used.
Cloud-console access is gated by SSO and MFA.

7. Audit log

Every admin action that changes customer data, access, or financials is written to an immutable audit log with actor ID, action verb, target, tenant, and metadata. We retain audit logs for 7 years.

8. Vulnerability disclosure

If you believe you have found a security vulnerability, please email security@gogreenorganicclean.com. Encrypt sensitive details with our PGP key [verify key to publish]. Please provide:

A description of the issue, affected URL, and reproduction steps.
Screenshots, videos, or proof-of-concept (do not attack other users' data).
Your contact preference for coordination.

We acknowledge within 3 business days and commit to a status update every 7 business days until the issue is closed.

9. Bug bounty

10. Incident response

Detect — automated alerts on error rates, login anomalies, DB latency, audit-log triggers.
Triage — on-call owner + ops within 60 minutes of detection.
Contain — isolate affected subsystem, rotate keys, revoke sessions.
Eradicate — patch, redeploy, verify.
Recover — restore normal operations with elevated monitoring.
Notify affected customers within 4 hours of confirmed impact, regulators as required under applicable law (72 hours for GDPR, in line with Fla. Stat. § 501.171 for US breach notifications).
Postmortem — blameless root-cause, published internally.

11. Penetration testing

12. Watermarked customer photos

13. NCNDA for corporate clients

14. Contact security

Security contact: security@gogreenorganicclean.com (human-read mailbox — create / monitor). See also our machine-readable security.txt at the well-known path per RFC 9116.

Security Posture

1. Overview

2. Encryption at rest & in transit

3. Authentication & passwords

4. Session tokens & cookies

5. HTTP security headers

6. Principle-of-least-privilege IAM

7. Audit log

8. Vulnerability disclosure

9. Bug bounty

10. Incident response

11. Penetration testing

12. Watermarked customer photos

13. NCNDA for corporate clients

14. Contact security

Security Posture

1. Overview

2. Encryption at rest & in transit

3. Authentication & passwords

4. Session tokens & cookies

5. HTTP security headers

6. Principle-of-least-privilege IAM

7. Audit log

8. Vulnerability disclosure

9. Bug bounty

10. Incident response

11. Penetration testing

12. Watermarked customer photos

13. NCNDA for corporate clients

14. Contact security

Quick Links

Contact

Service Areas