Security

A short, honest read of how we treat your data.

Data ownership

Your workspace data — companies, agents, memories, integrations — is stored in a Supabase Postgres database we own. You can export everything via API at any time. We do not train any model on your data.

Encryption

TLS 1.2+ in transit. AES-256 at rest (Supabase-managed Postgres). API keys you provide via BYOK are stored encrypted at the row level and decrypted only at request time.

Authentication

Supabase Auth. Magic-link, plus Google / GitHub / Microsoft / Apple OAuth. No passwords stored on our side. Sessions are JWT, scoped per-workspace via RLS.

Row-level security

Every table that touches user data has RLS policies enforced by Postgres, not by our app code. A workspace owner cannot read another workspace's rows even if a bug in the app tried.

BYOK posture

Bring your own keys for Anthropic, OpenAI, Google, Voyage, and others. When BYOK is active for a seat, requests proxy through us to your provider; we never see the response body beyond what the agent stores by design.

Subprocessors

Cloudflare (CDN, DNS), Supabase (database, auth, storage, edge functions), Stripe (billing), PostHog (product analytics — opt-in), Sentry (error tracking). Full list and DPA links available on request.

Reporting a vulnerability

Email security@orgmapai.com (or jpm727@gmail.com directly). We respond within 48 hours. See /.well-known/security.txt for our PGP key and current policy.

Compliance posture

Public beta, single-tenant Supabase. SOC 2 Type II via Supabase's underlying infrastructure. We are not yet HIPAA-eligible — if you need a BAA, contact us first.

Found something concerning?

Email security@orgmapai.com — we respond within 48 hours.