Your data. Handled with care.

Encryption in Transit

Every connection is encrypted over HTTPS. TLS termination and certificate management are handled at the edge by Railway with automatic renewal. Internal service-to-service traffic runs over a private network.

Encryption at Rest

All data at rest — database, file uploads, configuration — is encrypted at the storage layer. Card data is never stored on our servers; payments are tokenized through Stripe.

Hosting & Infrastructure

OH/JO runs on Railway, which operates on Google Cloud and is SOC 2 Type II, SOC 3, and HIPAA certified. We inherit the underlying infrastructure controls from Railway's audit. OH/JO itself is not yet independently SOC 2 audited.

Production runs in a managed Postgres cluster with automated failover. DDoS protection is applied at the edge. Each environment (production, staging, development) is fully isolated.

Access Controls

• Role-based permissions. Every action is checked against a role-and-resource permission grid on the server. No client-trusted authorization.
• Per-organization isolation. Multi-tenant boundaries are enforced on every API call — your data is scoped to your organization at the query layer.
• Session management. Sessions are stored server-side, marked Secure and HttpOnly, and can be invalidated immediately on password change or sign-out.
• MFA. On the roadmap, not yet shipped. If MFA is required for your organization today, talk to us before signing.

Audit Logging

Authentication events, role changes, and security-relevant actions are written to an append-only audit log, scoped per organization. Railway also retains platform-level audit logs.

Vulnerability Management

• Every pull request is statically analyzed by Semgrep before it can merge.
• Production images are scanned weekly with Trivy for newly disclosed CVEs. Critical and high findings block the next deploy.
• We have not yet commissioned a third-party penetration test. When we do, we'll publish the engagement and remediation status here.

Backups & Recovery

Database volumes are backed up on a scheduled cadence with point-in-time restore available. We do not currently run cross-region replication — if multi-region DR is a contractual requirement, we should talk before you commit.

Payments

We never store full credit card numbers. All cardholder data is handled directly by Stripe, a PCI DSS Level 1 service provider. Our PCI scope is limited to SAQ-A.

Compliance

• SOC 2:Inherited at the infrastructure layer from Railway. OH/JO's own audit is not yet underway.
• GDPR / CCPA: We honor data export and deletion requests on a per-account basis. Self-serve flow is on the roadmap.
• HIPAA: Not in scope. Do not put protected health information in OH/JO.

Employee Access

Our team only accesses customer data when responding to a support request you opened or investigating an incident. All access is logged.

Incident Response

If we detect or are notified of an incident affecting your data, we will notify affected customers by email. Our internal response process is still being formalized — we'll publish the runbook when it's ready rather than commit to a window we can't yet guarantee.