Security
How we handle your team's data.
We're early. This page tells you what's true today rather than what we plan to claim later. We'll grow this as we move toward SOC 2.
Where your data lives
otlta stores your data in a Supabase Postgres database. The database lives in Supabase's Mumbai (ap-south-1) region. Row-level security policies enforce that one organization can never read another's content directly from the database; every read goes through our Cloudflare Worker, which checks org + workspace membership on every request.
Encryption
All connections between your browser and otlta use TLS 1.2 or higher. Data is encrypted at rest in Postgres using AES-256 (managed by Supabase). Backups are encrypted with the same key and retained for 30 days.
Access
Production database access is limited to two engineers, both with hardware MFA. Our Cloudflare Worker uses a service role key to write on your behalf — the key never leaves the Worker runtime. We don't run a customer-support tool that can impersonate users; the platform-admin route exists but requires a separate allowlisted account, and every action is audit-logged.
AI
AI requests go through our internal gateway (Buddhi) to a managed Gemini endpoint. We don't train on your data. We pass your workspace content to the model as context for the specific question you asked; no chunk is retained outside the request lifecycle. Embeddings used for retrieval live in Postgres alongside your data and are deleted when the source document is deleted.
Sub-processors
- Supabase — Postgres, auth, storage
- Cloudflare — Workers, R2, KV, Hyperdrive, Pages
- Razorpay — payments (India)
- Google Cloud (Vertex AI) — AI inference, via our gateway
- Resend — transactional email
Compliance roadmap
SOC 2 Type 1 audit window opens once we cross 50 paying customers. Type 2 follows. We'll publish the report on the trust portal at trust.otlta.com when it's ready.
Reporting
Found a security issue? Email security@otlta.com. We respond within 48 hours, no exceptions. We don't have a paid bug bounty yet but we will credit reporters publicly with permission.