Security is not a feature.
OVRIX is designed with a security-first architecture. Tenant isolation, encrypted data, signed webhooks, and a full audit trail are not optional add-ons — they're the foundation every plan is built on.
Every tenant lives in a dedicated PostgreSQL schema. A query bug in one tenant's session can never touch another tenant's data — architectural, not policy-dependent.
TLS 1.3 enforced in transit. AES-256 encryption at rest via managed RDS encrypted volumes. Secrets managed via environment variables with no hardcoded credentials.
Every CREATE, UPDATE, and DELETE is recorded with before/after snapshots, actor identity, IP, user agent, and timestamp. Log records are append-only.
Access tokens expire in 15 minutes. Refresh tokens are rotated on use and stored as HttpOnly cookies with SameSite=Strict. Logout revokes all refresh tokens.
Per-tenant and per-route rate limits enforced at the API gateway layer with Redis-backed counters. Burst allowances prevent false positives on batch operations.
All incoming Stripe webhooks are verified with HMAC-SHA256 signatures before processing. Invalid signatures are rejected with 400 and logged for alerting.
Report a vulnerability
We take security disclosures seriously. If you find a vulnerability in OVRIX, please report it privately before public disclosure. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.
Do not use public issue trackers or social media for security reports. Contact us at security@OVRIX.io with a detailed description, reproduction steps, and any proof-of-concept code.
We offer a recognition program for confirmed critical and high-severity findings. Researchers who follow responsible disclosure will not face legal action.