Security overview

We design and operate the Service with a focus on confidentiality, integrity, and availability appropriate to a cloud-hosted B2B SaaS product. Risk is managed through secure development practices, least-privilege access, monitoring, and reliance on reputable infrastructure and subprocessors that maintain their own security programs (including certifications or audits where applicable).

The Service runs on modern cloud and edge platforms and uses managed services (for example databases, authentication, email, and AI APIs) chosen for operational security and reliability. Data may be processed in multiple regions according to provider configuration and your use of the product. A list of categories of subprocessors and how we use them appears at a high level in our Privacy Policy.

Traffic between your browser and the Service is protected using HTTPS (TLS). Credentials and session tokens should only be transmitted over encrypted connections. Data at rest is protected using mechanisms provided by our cloud and database vendors (for example encrypted storage layers); exact implementations may vary by component and provider.

Accounts are protected with industry-standard authentication mechanisms provided by our identity vendor (including password policies and session handling as configured). Administrative and internal access to production systems is limited to personnel who need it for their role and is subject to authentication and authorization controls.

Your responsibility: use a strong, unique password, enable multi-factor authentication if we offer it for your account type, and never share credentials. Report suspected account compromise promptly.

Examples of controls we apply or aspire to as we ship changes include:

• Input validation and secure handling of uploads used in product features;
• Protection against common web vulnerabilities in our application layer (for example injection and cross-site issues);
• Rate limiting, abuse detection, and logging appropriate to API and dashboard routes;
• Separation between customer data and internal tooling where feasible.

Exact technical measures may evolve with the product; we do not publicly document every control.

We maintain operational and security logs to troubleshoot issues, detect abuse, and support investigations. Logs are retained for limited periods consistent with operational and legal needs. See the Privacy Policy for categories of data that may appear in logs.

If you are a security researcher or user and believe you have discovered a security vulnerability in the Service, please email security@optify.one with a clear description, reproduction steps, and, if applicable, proof-of-concept without exfiltrating user data. Please allow reasonable time for us to assess and remediate before any public disclosure.

We currently do not operate a public bug-bounty program; availability of rewards, if any, is at our sole discretion.

We maintain procedures to detect, triage, and respond to suspected security incidents. Where required by law or where we determine notification is appropriate, we will notify affected users and regulators. Notifications may be delayed when instructed by law enforcement or where necessary to protect the integrity of an investigation.

When you connect external platforms (marketplaces, shops, or social networks), credentials and data may flow through those providers’ APIs under their security models. You should follow each platform’s security recommendations (for example reviewing connected apps and revoking unused tokens). Our Terms of Service describe your obligations when using integrations.

We may pursue or maintain compliance initiatives (for example SOC 2) as the business matures. Unless we publish a specific report or certification for customers, this page does not constitute a representation that we hold any particular certification. Enterprise customers with formal security questionnaires should contact us through commercial channels.

We may update this Security overview to reflect new features, providers, or practices. The “Last updated” date at the top will change when we do; material changes may also be described in-product or by email where appropriate.

Security issues: security@optify.one

General privacy questions: see the Privacy Policy.