How does Opagio protect user data and ensure platform security?

Full Explanation

Opagio takes data security seriously because our users share sensitive financial and business information. Our security architecture covers multiple layers. Data encryption: all data is encrypted at rest using AES-256 and in transit using TLS 1.3. API keys use a secure prefix system with exact-length validation. Authentication: Opagio uses enterprise-grade authentication (Supabase Auth) with session expiration, JWT rotation, and rate-limited endpoints. All authentication decisions are made server-side — never relying on UI-level checks alone. Access control: row-level security ensures users can only access their own organisation's data. Role-based permissions control what actions different team members can perform. Infrastructure: the platform runs on Google Cloud (Firebase) with DDoS protection, automated backups, and fully separated test and production environments. Compliance: Opagio follows GDPR requirements including a real account deletion flow, audit logging of critical actions (deletions, role changes, data exports), and transparent data processing policies. Input sanitisation: all user inputs are sanitised and queries are parameterised to prevent injection attacks. CORS is restricted to production domains — no wildcard origins. We maintain these standards through automated security audits in our CI pipeline and regular dependency vulnerability scanning.

Related Questions