LEGAL · OFIFLOW

Security

EFFECTIVE MAY 1, 2026v2026.05.01-1

Security at OfiFlow

Effective: May 1, 2026 · Version: 2026.05.01-1

OfiFlow handles operational data, driver records, and contract financials for frac-sand hauling carriers. Security is the foundation of that handling. This page is the public summary of how we protect customer data. Procurement and security teams may rely on this page when evaluating OfiFlow.

For specific questions, security disclosures, or to report a vulnerability, contact security@ofiflow.com.

Trust posture (concise summary)

Area Status
Data residency United States only (AWS us-west-2, Oregon)
Encryption at rest AES-256 (Supabase Postgres + Storage)
Encryption in transit TLS 1.2+ on all customer-facing endpoints
Tenant isolation Postgres row-level security on every customer-data table
Authentication Supabase Auth (magic-link default, MFA optional, OAuth supported)
Customer data ownership Customer owns all customer data and derived works
Subprocessors Public list at /subprocessors with 30-day change notification
Security incident notification 72 hours (per DPA)
Data deletion on termination 30-day export window + 60-day production + 180-day backup
Public bug bounty Not yet (planned post-revenue)
SOC 2 attestation Planned post-revenue (pre-revenue infrastructure providers' SOC 2 reports available on request)

Hosting and infrastructure

  • Database: Supabase Cloud (Postgres 15+) in us-west-2
  • Application hosting: Vercel (Next.js 16, edge network, US POPs)
  • Background jobs: Inngest cloud
  • LLM inference: Google Cloud Vertex AI (Gemini family) via Vercel AI Gateway with customer-owned BYOK service account
  • Email: Resend
  • SMS: Twilio (10DLC A2P registered)
  • WhatsApp: Meta WhatsApp Business API (verified business account)
  • Error tracking: Sentry (PII-scrubbed at capture)
  • Product analytics: Vercel Analytics (anonymous Web Vitals; cookieless; no session replay)
  • LLM observability (opt-in): Langfuse Cloud

Each provider is a Subprocessor with a published DPA on file; the current list is at /subprocessors.

Data protection

Encryption

All data at rest is encrypted with AES-256 (Supabase Postgres + Supabase Storage). All data in transit is encrypted with TLS 1.2+ (HTTPS for browser sessions, TLS for service-to-service calls). LLM API calls to Google Vertex AI route through Vercel AI Gateway over TLS.

Tenant isolation

Every customer-data table in our Postgres database carries a tenant_id partition column with row-level security (RLS) policies enforced at the database layer. The application layer cannot bypass these policies even if compromised. Pre-deployment CI gates scan for tables missing tenant scope.

Authentication

  • Authorized Users (dashboard): Supabase Auth with magic-link by default. MFA optional per user. OAuth providers (Google, Microsoft) supported.
  • Drivers (WhatsApp): phone-number verification through the WhatsApp Business platform; no dashboard credentials.
  • OfiFlow staff (operational access): limited service-role access; audited via append-only audit_log; not exposed to customer-facing code.

Audit logging

Every privileged operation is logged to an append-only audit_log table scoped per tenant. Audit logs are not editable in place. Retention is 7 years for operational compliance.

Application security

Vulnerability management

  • Dependency scanning: GitHub Dependabot opens auto-PRs for vulnerable dependencies. HIGH+ severity vulnerabilities are reviewed within 7 days.
  • Secrets scanning: pre-commit hook + CI gate prevent secrets from entering source control.
  • Service-role key protection: dedicated CI check (scripts/check-service-role-leak.ts) flags any reference to the Supabase service role key in client-bundled code.
  • Code review: every change is reviewed before merge to master.

Code quality gates

OfiFlow enforces 20+ CI quality gates including type-checking, linting, secrets scanning, RLS scope enforcement, and migration safety review. The full list is in our internal code-quality-gates.md reference.

Penetration testing

Pre-revenue, OfiFlow has not yet engaged a third-party penetration test. The first independent test is planned post-revenue. We rely on our infrastructure providers' SOC 2 Type II attestations (Supabase, Vercel, Inngest, Google Cloud) for foundational coverage and our own code-review + automated CI gates for application coverage. We will publish a summary of independent test results when issued.

Incident response

We follow a NIST SP 800-61 r2-aligned incident response plan with the following commitments to customers:

  • Detection: Sentry, Supabase Advisors, Inngest dashboard, customer reports
  • Severity classification: P1 (critical / breach in progress), P2 (high / contained breach), P3 (medium / suspected), P4 (low / informational)
  • Customer notification of confirmed breach: within 72 hours of confirmation, per the Data Processing Addendum
  • Containment: within 4 hours for P1, 24 hours for P2
  • Post-mortem: published internally within 14 days for P1, 30 days for P2; customer-visible summaries published on this page's changelog for material incidents

Subprocessors

We publish the full Subprocessor list at /subprocessors with each Subprocessor's role, data categories, region, and DPA link. We notify customers at least 30 days before adding a new Subprocessor that processes Customer Personal Data, per the DPA.

Compliance roadmap

  • CCPA / CPRA / state privacy laws: defensive-compliant from V1 (no sale, no sharing, processor-only role; details in Privacy Policy and DPA)
  • SOC 2 Type II: planned post-revenue (target: customer #3 or first enterprise RFP)
  • ISO 27001: deferred (international expansion trigger)
  • GDPR: defensive-compliant where customers have EU data subjects (Standard Contractual Clauses available on request)
  • HIPAA / BAA: not applicable; OfiFlow does not process protected health information
  • PCI DSS: Stripe handles payment card data; OfiFlow infrastructure is out of card scope

Reporting a security issue

If you believe you have found a security vulnerability, please email security@ofiflow.com. Include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce
  • Your contact information

We will acknowledge within 24 hours, investigate within 7 days, and provide a status update within 14 days. We do not currently offer monetary bug bounties (planned post-revenue), but we publicly credit researchers who responsibly disclose validated findings.

Status page and changelog

A public status page (status.ofiflow.com) is planned with platform availability metrics. Until then, customers receive incident notifications by email per the DPA.

Material updates to this Security page (new Subprocessors, certification milestones, incident summaries) are appended to the changelog below.

Related documents

  • Privacy Policy — /privacy
  • Terms of Service — /terms
  • Data Processing Addendum (public) — /dpa
  • Subprocessor List — /subprocessors
  • SLA — /sla
  • Acceptable Use Policy — /acceptable-use

Changelog

  • 2026.05.01-1 — Initial public Security disclosure.