OS
Get started

Trust

Security

Your clients trust you with their information. You trust us with it next. Here's exactly how we protect it.

Authentication

Email + password with bcrypt hashing, optional Google sign-in, and protection against credentials previously exposed in public breaches (HIBP). Session tokens are short-lived and rotate on sensitive actions.

Data protection

TLS 1.2+ for every request. AES-256 encryption at rest for databases, backups and uploaded files. Secrets are stored in an encrypted vault — never in code or environment files exposed to clients.

Storage handling

Files uploaded by your clients are scoped to your workspace. Object storage policies deny cross-workspace reads at the database layer, not just the application layer. Backups are encrypted and rotated daily.

Access controls

Row-level security on every customer table ensures one workspace can never read or write another's data — even if an application bug occurred. Admin operations require service-role access, which lives only on the server and is never shipped to the browser.

Infrastructure

Client Portal System runs on managed Postgres and edge compute provided by Supabase / Lovable Cloud. Payments are processed by Stripe (PCI-DSS Level 1). We never see or store full card numbers.

Client portal security

Client onboarding links contain a long, unguessable token. Tokens are scoped per client and per workspace. Submitted data is written through audited server functions, not direct database access from the browser. Signed documents include a tamper-evident audit trail (IP, timestamp, device).

Operational practices

  • Production access is restricted to a small set of team members and gated by single sign-on.
  • All deploys go through automated build, type and security checks.
  • Dependency vulnerabilities are scanned on every change.
  • Backups are tested by restoring into staging on a regular cadence.

Audit logs

Every sensitive event — login, invite sent, signature collected, payment recorded, data export — is recorded with actor, timestamp and IP. Customers on the Agency plan can request a full audit export.

Responsible disclosure

Found a vulnerability?

Email security@onboardingos.app with reproduction steps. We acknowledge reports within 2 business days and will credit researchers who follow responsible disclosure.

Beta caveats — said plainly

We are in beta. We do not yet hold SOC 2 or ISO 27001 certifications, and we don't claim to. The controls described here reflect what is built and operating today. Compliance certification is on the roadmap and we will publish it on this page when complete.