Security at Operandix
Bank-level protection for your business data. Here's exactly how we keep it safe.
Your data is our responsibility.
Security is not a feature at Operandix — it's a foundation. Your business runs on financial data, project details, and proprietary information. We treat that data with the same care a bank treats your money. Every architectural decision, every line of code, and every third-party integration is evaluated through the lens of protecting your data first.
Enterprise infrastructure. Zero compromise.
Vercel Edge Network
Deployed on Vercel's global edge network with built-in DDoS protection, automatic HTTPS enforcement, and zero-downtime deployments. Your app is never exposed on an unprotected origin.
Supabase PostgreSQL
Database hosted on Supabase's enterprise-grade PostgreSQL with Row-Level Security (RLS) enforced at the database layer, automated encrypted backups, and point-in-time recovery. Every query is scoped to your organization — at the database level, not just the application layer.
Defense in depth at every layer.
- ✓Row-Level Security (RLS) — Every database table has RLS policies enforced. Your org's data cannot be accessed by other organizations — even if application code had a bug.
- ✓Organization Isolation — Multi-tenant architecture with hard org_id scoping on every query. Complete data isolation between accounts.
- ✓Rate Limiting — All AI endpoints, data migrations, and sensitive routes are rate-limited to prevent abuse and runaway costs.
- ✓CSRF Protection — All state-mutating API routes require authenticated sessions. CSRF tokens enforced on form submissions.
- ✓Input Validation (Zod) — Every API route validates its input with strict Zod schemas before processing. No untyped data reaches the database.
Encrypted at rest. Encrypted in transit.
At Rest — 256-bit AES
All data stored in Supabase PostgreSQL is encrypted at rest using AES-256. This includes your financial records, project data, and any uploaded documents.
In Transit — TLS 1.3
All connections between your browser, our servers, and third-party integrations use TLS 1.3 — the latest and strongest transport encryption standard.
The right people see the right data.
Role-Based Access Control
Three-tier permission model: Admin (full control), Manager (operational), and Staff (limited). Permissions enforced server-side, not just in the UI.
Multi-Organization Isolation
Users belong to one or more organizations. Cross-org data access is architecturally impossible — not just policy-controlled.
Session Management
Supabase Auth with secure HTTP-only cookies, automatic session refresh, and server-side session validation on every authenticated request.
Your data never trains our AI.
- ✓API keys for AI providers are encrypted and stored as environment secrets — never in the database.
- ✓Your business data is never used to train AI models. Anthropic's zero data retention policy applies to all Operandix AI requests.
- ✓AI processing is ephemeral — data sent for analysis is not persisted by the AI provider.
- ✓All AI agent interactions are scoped to your organization and user session.
Built for regulated industries.
We are actively working toward SOC 2 Type II certification. Controls are designed to meet the criteria today.
Data residency controls, right-to-deletion workflows, and data processing agreements available on request.
California Consumer Privacy Act compliant. Users can request data export or deletion at any time.
Have security questions?
Our team is happy to answer any security or compliance questions before you sign up.