Security

Last updated: February 16, 2026

TLS 1.2+

All data encrypted in transit

AES-256

Database encrypted at rest

SOC 2 Infrastructure

Vercel + Supabase + Anthropic + OpenAI

PCI DSS Payments

Via Lemon Squeezy (merchant of record)

No Data Training

AI providers don't train on your data

Row-Level Security

Database isolation per user

GDPR / CCPA / LGPD

10-region privacy compliance

Responsible Disclosure

90-day security vulnerability program

Transparency note: Otoq is an early-stage product. We do not yet have an independent third-party security audit. The practices described below are self-assessed and reflect our actual implementation. Our infrastructure providers (Vercel, Supabase, Anthropic, OpenAI) each maintain their own SOC 2 Type II certifications, which you can verify via their respective trust pages. We plan to pursue independent certification as we scale.

Vercel Security Supabase Security Anthropic Security OpenAI Security

At Otoq, security is foundational — not an afterthought. We handle your business data and your customers' conversations, and we take that responsibility seriously. This page describes how we protect your data and how you can help us keep the platform secure.

Infrastructure Security

  • Encryption in transit: All data is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS with a max-age of 2 years including subdomains.
  • Encryption at rest: Database storage is encrypted at rest via Supabase (backed by AWS infrastructure with AES-256 encryption).
  • Hosting: Application hosted on Vercel with automatic DDoS protection, edge network, and SOC 2 Type II compliance. Database hosted on Supabase (SOC 2 Type II compliant).
  • Region: Primary deployment in Singapore (sin1) for low-latency APAC access.

Application Security

  • Row-Level Security (RLS): Every database table enforces row-level security policies ensuring users can only access their own data.
  • Input sanitization: All user inputs are validated with Zod schemas, HTML-stripped, and sanitized before processing.
  • Prompt injection detection: Chat messages are scanned for known prompt injection patterns with system-level guardrails.
  • SSRF protection: URL crawler blocks requests to private IP ranges, cloud metadata endpoints, and internal hostnames.
  • Rate limiting: Per-visitor and per-agent rate limits via Upstash Redis (production) with in-memory fallback (development).
  • Auth rate limiting: Brute-force protection on login/signup endpoints (10 attempts per 15 minutes per IP).
  • Security headers: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Strict-Transport-Security, Referrer-Policy, Permissions-Policy.
  • No tracking cookies: Only essential authentication cookies are used. No third-party advertising trackers.

Data Privacy

  • No model training: Your business data and conversations are never used to train AI models. Anthropic (Claude) and OpenAI explicitly do not train on API data.
  • Data ownership: You retain full ownership of all content you upload. We process it solely to provide the service.
  • Data deletion: When you delete your account, all associated data (agents, knowledge bases, conversations, leads) is permanently deleted. Backups are purged within 30 days.
  • Data export: You can export your leads and conversations at any time via the dashboard.
  • Payment security: We never store credit card details. All payment processing is handled by Lemon Squeezy (our merchant of record), which is PCI DSS compliant.

Global Compliance

We are committed to complying with data protection laws across all jurisdictions we serve. See our Privacy Policy (Region-Specific Addendums) for jurisdiction-specific details.

RegionRegulationStatus
PhilippinesData Privacy Act (RA 10173)Compliant
EU / EEAGeneral Data Protection Regulation (GDPR)Compliant
United KingdomUK GDPR + Data Protection Act 2018Compliant
California, USCCPA / CPRACompliant — no data sales
BrazilLei Geral de Proteção de Dados (LGPD)Compliant
CanadaPIPEDACompliant
South AfricaPOPIACompliant
SingaporePersonal Data Protection Act (PDPA)Compliant
AustraliaPrivacy Act 1988 (APPs)Compliant
JapanAct on Protection of Personal Information (APPI)Compliant
  • No data sales: We do not sell personal information to any third party, ever.
  • Cookie consent: Analytics tracking only activates after explicit user opt-in via our cookie consent banner.
  • SOC 2 (via infrastructure): Our infrastructure providers (Vercel, Supabase, Anthropic, OpenAI, Upstash, Sentry, PostHog) maintain SOC 2 Type II certifications.
  • PCI DSS (via Lemon Squeezy): Payment processing is fully handled by our PCI-compliant merchant of record.

Responsible Disclosure

We welcome security researchers to help us keep Otoq safe. If you discover a vulnerability, please report it responsibly:

  • Email security@getotoq.com with a detailed description
  • Include steps to reproduce the issue if possible
  • Allow us 90 days to address the issue before public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or social engineering

We commit to acknowledging receipt within 48 hours and providing regular updates on our progress. We will not take legal action against researchers who follow these guidelines.

Third-Party Services

ServicePurposeCompliance
VercelApplication hostingSOC 2 Type II, GDPR
SupabaseDatabase, Auth, StorageSOC 2 Type II, HIPAA, GDPR
AnthropicAI responses (Claude)SOC 2 Type II, no data training
OpenAIText embeddingsSOC 2 Type II, no data training
Lemon SqueezyPayment processingPCI DSS, GDPR
UpstashRate limiting (Redis)SOC 2 Type II, GDPR
ResendTransactional emailGDPR
ShopifyE-commerce integrationSOC 2 Type II, PCI DSS, GDPR
SentryError trackingSOC 2 Type II, GDPR
PostHogProduct analyticsSOC 2 Type II, GDPR, HIPAA

Contact

For security concerns: security@getotoq.com

For privacy questions: privacy@getotoq.com

For general support: support@getotoq.com