Engine · Trust & Compliance

Security is not a feature.

OVRIX is designed with a security-first architecture. Tenant isolation, encrypted data, signed webhooks, and a full audit trail are not optional add-ons — they're the foundation every plan is built on.

Schema Isolation

Every tenant lives in a dedicated PostgreSQL schema. A query bug in one tenant's session can never touch another tenant's data — architectural, not policy-dependent.

Encryption Everywhere

TLS 1.3 enforced in transit. AES-256 encryption at rest via managed RDS encrypted volumes. Secrets managed via environment variables with no hardcoded credentials.

Forensic Audit Log

Every CREATE, UPDATE, and DELETE is recorded with before/after snapshots, actor identity, IP, user agent, and timestamp. Log records are append-only.

Short-lived JWT Sessions

Access tokens expire in 15 minutes. Refresh tokens are rotated on use and stored as HttpOnly cookies with SameSite=Strict. Logout revokes all refresh tokens.

Rate Limiting

Per-tenant and per-route rate limits enforced at the API gateway layer with Redis-backed counters. Burst allowances prevent false positives on batch operations.

Webhook Signature Verification

All incoming Stripe webhooks are verified with HMAC-SHA256 signatures before processing. Invalid signatures are rejected with 400 and logged for alerting.

Control Standard Status Notes
Data isolation per tenant SOC 2 CC6.1 ✓ Implemented Schema-level, not row-level
Encryption in transit SOC 2 CC6.7 ✓ Implemented TLS 1.3 enforced
Encryption at rest SOC 2 CC6.7 ✓ Implemented AWS RDS encrypted volumes
Access audit logging SOC 2 CC7.2 ✓ Implemented Before/after snapshots
Role-based access control SOC 2 CC6.3 ✓ Implemented 25+ granular modules
Incident response plan SOC 2 CC7.3 In Progress Runbook under review
Penetration testing SOC 2 CC7.1 In Progress Scheduled Q3 2026
GDPR data processing agreement GDPR Art. 28 ✓ Implemented DPA available on request

Report a vulnerability

We take security disclosures seriously. If you find a vulnerability in OVRIX, please report it privately before public disclosure. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.

Do not use public issue trackers or social media for security reports. Contact us at security@OVRIX.io with a detailed description, reproduction steps, and any proof-of-concept code.

We offer a recognition program for confirmed critical and high-severity findings. Researchers who follow responsible disclosure will not face legal action.

Critical findings
72h
Resolution SLA for critical severity
Acknowledgement
24h
Initial response to every disclosure