Data Protection
- All data encrypted in transit using TLS 1.2+ (HTTPS enforced on all endpoints)
- All data encrypted at rest using AES-256 via our database provider
- Database hosted on Supabase (built on PostgreSQL) with automated backups
- API endpoints enforce payload size limits (50KB) to prevent abuse
- Rate limiting on all public endpoints (events API: 100 req/min per API key; AI endpoints: 20–50 req/hr per authenticated user, 10/hr for anonymous support chat)
- Atomic rate limiting via Postgres transactions with fail-closed behavior — service errors block requests rather than bypassing limits
- AI spend capped at $200/month via automated circuit breaker to prevent runaway costs from compromised credentials
- Email unsubscribe links use HMAC-SHA256 signed tokens to prevent enumeration attacks
Tenant Isolation
Every customer's data is logically isolated using PostgreSQL Row-Level Security (RLS) policies. Each API request is verified against project ownership before returning any data.
- Row-level security enforced at the database layer — not application-level checks that can be bypassed
- Shared authentication helper (requireProjectAccess) verified on every endpoint
- Build-time CI check prevents any new endpoint from bypassing the isolation helper — the deploy fails if the rule is violated
- Cross-tenant data access is structurally impossible, not just policy-prohibited
- Superadmin access restricted to a single whitelisted email with audit logging on every request
Authentication & Access
- Login via Google OAuth or magic link (no passwords stored)
- Session tokens issued by Supabase Auth with JWT verification
- API keys scoped per project, never shared across accounts
- XSS protection: all user input sanitized before storage (HTML tags stripped, entities escaped)
- CORS configured to allow only the onboardics.com origin
- Security headers enforced: HSTS (max-age 63072000), CSP frame-ancestors 'self' directive (modern W3C standard replacing legacy X-Frame-Options header), X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy restrictive, Content-Security-Policy with explicit allowlists
Compliance
Onboardics is designed with privacy by default.
- GDPR compliant — we provide a Data Processing Agreement (DPA) for customers who need one
- CCPA compliant — we do not sell personal data
- Data deletion requests honored within 30 days. Contact tyler@onboardics.com
- Cookie consent integration via Termly — works with your existing consent management platform
- Data retention policies enforced per plan tier (30 days Free/Starter, 90 days Growth, unlimited Scale/Business)
- Post-cancellation data retained 30 days for reactivation, then permanently deleted
What We Explicitly Do NOT Have
Not yet in place: SOC 2 Type II certification (targeting Q4 2026), HIPAA BAAs, SAML SSO, customer-facing audit log exports, formal third-party penetration testing. If any of these are blockers for your evaluation, email tyler@onboardics.com and we'll discuss your timeline.
SOC 2 Type II
We are pursuing SOC 2 Type II certification. Our target completion is Q4 2026. In the meantime, the controls described on this page — tenant isolation, encryption, access controls, audit logging, and CI-enforced security checks — reflect the operational practices that SOC 2 evaluates.
If you need a security questionnaire completed before your evaluation, contact tyler@onboardics.com and we'll respond within 48 hours.
Report a Vulnerability
If you discover a security vulnerability in Onboardics, please report it responsibly to tyler@onboardics.com. We take all reports seriously and will respond within 48 hours.
We do not currently offer a formal bug bounty program, but we appreciate and acknowledge responsible disclosures.
Last updated: April 10, 2026