Security

Data Encryption

We use industry-standard encryption to protect your data:

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• At Rest: Sensitive data stored in our database is encrypted using AES-256
• Sensitive Fields: EIN and other highly sensitive information is encrypted at the application level

Authentication & Access Control

We partner with Clerk, an industry-leading authentication provider:

• Secure Authentication: OAuth 2.0 and OpenID Connect compliant
• Multi-Factor Authentication: Optional MFA for additional account security
• Role-Based Access: Granular permissions (Owner, Manager, Bookkeeper roles)
• SSO/SAML: Enterprise single sign-on available for Enterprise plans
• Session Management: Automatic session expiration and secure token handling

Infrastructure Security

Our infrastructure is built on trusted cloud providers:

• Hosting: Vercel (edge network with automatic DDoS protection)
• Database: Supabase (built on AWS with automatic backups)
• Payments: Stripe (PCI DSS Level 1 certified)
• Redundancy: Automatic failover and data replication

Monitoring & Audit Logs

We maintain comprehensive logging and monitoring:

• Audit Logs: All data access and modifications are logged with timestamps and user identification
• Error Monitoring: Real-time error tracking and alerting via Sentry
• Access Logs: API and authentication events are logged for security review

Data Handling Practices

• Minimal Collection: We only collect data necessary for the service
• No SSN Storage: We do not store Social Security Numbers
• Data Isolation: Multi-tenant architecture with strict organization-level data isolation
• Secure Deletion: Data is securely deleted upon account termination (subject to legal retention requirements)

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Questions?

For security-related questions or concerns, contact us at security@obbbatracker.com