Security

All Systems Operational

Platform, API, and data services are fully operational.

Obsidian OS runs on hardened, enterprise-grade cloud infrastructure:

• Application hosted on Vercel and Railway — SOC 2 Type II certified providers
• Database hosted on Supabase (AWS-backed) — SOC 2 Type II, ISO 27001 certified
• All infrastructure resides in US-based data centers
• Automated failover and high-availability configurations
• Zero-trust network architecture — no direct database exposure to the public internet

• All data in transit is encrypted with TLS 1.2 or higher — enforced for all API and browser connections
• All data at rest is encrypted using AES-256 managed by Supabase and AWS
• User passwords are never stored — authentication is handled via Supabase Auth with industry-standard hashing
• Session tokens are short-lived and rotated automatically

• Row-Level Security (RLS) enforced at the PostgreSQL database level — each organization can only query its own data, not other organizations'
• All API routes require authenticated sessions; unauthenticated requests return 401
• Organization-scoped data isolation — your deals, leads, and documents are invisible to any other tenant
• Role-based access within your organization (Owner, Admin, Member) with granular permission controls
• Audit logging for sensitive operations (LOI send, document upload, stage promotions)

• All user inputs are parameterized — SQL injection is prevented at the ORM and database driver level
• Content Security Policy (CSP) headers enforced on all web responses
• CSRF protection on all state-changing API routes
• Signed URLs for all document downloads — files are never directly publicly accessible
• DocuSign webhooks validated via HMAC signature on every request
• Supabase Storage policies require authenticated session with matching organization_id before any file can be read or written

• All uploaded documents (contracts, LOIs, PDFs) are stored in Supabase Storage with private bucket policies
• Access to documents is controlled by organization-scoped RLS — only members of the deal's organization can access its files
• Signed LOIs fetched from DocuSign are stored with the associated deal and protected under the same access rules
• Files are scanned for malicious content upon upload
• Retention policies are configurable — documents are deleted along with the account upon deletion request

• Dependency updates and security patches applied on a rolling basis via automated tooling
• Production deployments require code review and pass automated CI/CD security checks
• Environment secrets (API keys, Twilio credentials, DocuSign keys) stored in encrypted secret managers — never in source code
• Access to production infrastructure is restricted to authorized personnel with MFA enforced
• Incident response plan in place with defined SLAs for security events

We only use sub-processors that meet enterprise security standards:

We take security reports seriously and commit to addressing valid vulnerabilities promptly. If you discover a security issue in Obsidian OS, please report it responsibly: