Security

Last updated: 2026-04-19

We take the security of your data seriously. This page summarizes the technical and organizational measures we apply to protect personal data and business content within the OIO service.

Infrastructure

  • Database: Supabase (managed PostgreSQL) with encryption at rest (AES-256).
  • Compute: Cloudflare Workers at the edge, no persistent disk.
  • File storage: Cloudflare R2 private buckets. Files are accessed only via short-lived signed URLs generated server-side after authentication.
  • AI processing: Anthropic API over TLS 1.3, no training on customer data under our commercial terms.

Encryption

  • All traffic is encrypted in transit using TLS 1.2 or later.
  • Data at rest is encrypted by our infrastructure providers using AES-256.
  • Authentication tokens are stored in HttpOnly, Secure, SameSite cookies.

Access Control

  • Row-level security (RLS) at the database layer — every read and write is policy-checked. A user cannot query another user's data by design.
  • Shared access via sharing groups uses explicit permission tiers (viewer, editor, manager, owner). Revoking group membership immediately revokes all derived access.
  • Server-side authorization on every API route — no client-trusted permission checks.
  • Service-role credentials are used only in server-side code with scoped ownership verification; they are never exposed to the browser.

Application Security

  • CSRF protection via same-origin enforcement on all state-changing requests.
  • Input sanitization and strict allowlists for API payloads — mass assignment is not possible.
  • Content Security Policy (CSP) restricting script and image sources.
  • Rate limiting on mutating endpoints to prevent abuse.
  • File upload restrictions — MIME-type allowlist, size caps, filename sanitization, SVG explicitly blocked (XSS vector).
  • No dangerouslySetInnerHTML — all rich content is rendered through sanitizing renderers.

Operational Security

  • Principle of least privilege for all internal access to production systems.
  • Automated dependency updates and vulnerability scanning.
  • Security patches applied promptly after disclosure.
  • Access logs are retained for up to 90 days for investigation purposes.

Backups & Disaster Recovery

  • Database backups are performed by our infrastructure provider with point-in-time recovery.
  • Backups are retained for up to 30 days.
  • Backup data is encrypted at rest.

Incident Response

We maintain an incident response process. In the event of a confirmed personal data breach likely to result in risk to users' rights, we will:

  1. Contain the incident and preserve evidence.
  2. Notify the relevant supervisory authority within 72 hours (GDPR Art. 33).
  3. Notify affected users without undue delay where the breach is likely to result in a high risk to their rights.
  4. Conduct a root-cause analysis and remediate.

Your Responsibility

Security is a shared responsibility. To help keep your data safe:

  • Use a strong, unique password or sign in with a trusted identity provider.
  • Enable two-factor authentication where supported.
  • Do not share your account credentials.
  • Log out on shared devices.
  • Keep your email account secure, as it is used for password recovery.
  • Only grant project access to people you trust.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to [SECURITY_EMAIL]. Do not publicly disclose the issue until we have had a reasonable opportunity to address it. We appreciate responsible disclosure and will acknowledge your contribution.

Limitations

No system is perfectly secure. While we apply industry-standard measures, we cannot guarantee that the Service will never be compromised. Our obligations and liabilities in the event of an incident are set out in our Terms of Service and Privacy Policy.