Security & Privacy

Data Protection

• All data encrypted in transit using TLS 1.2+ (HTTPS enforced on all endpoints)
• All data encrypted at rest using AES-256 via our database provider
• Database hosted on Supabase (built on PostgreSQL) with automated backups
• API endpoints enforce payload size limits (50KB) to prevent abuse
• Rate limiting on all public endpoints (events API: 100 req/min per API key; AI endpoints: 20–50 req/hr per authenticated user, 10/hr for anonymous support chat)
• Atomic rate limiting via Postgres transactions with fail-closed behavior — service errors block requests rather than bypassing limits
• AI spend capped at $200/month via automated circuit breaker to prevent runaway costs from compromised credentials
• Email unsubscribe links use HMAC-SHA256 signed tokens to prevent enumeration attacks
• Tracking snippet ships at <10 KB gzipped (30 KB budget ceiling documented in our engineering standards). Every commit that modifies the snippet reports the new gzipped size in the commit body — byte bloat is treated as a product regression, not a cosmetic concern.
• Flow rendering on customer sites uses Shadow DOM isolation with :host { all: initial !important } and forced !important resets so tooltips, modals, banners, tours, and checklists cannot be broken by hostile host-page CSS (universal * selectors, display: none on .ob-* class names, color/font cascade). A CI regression test at npm run test:shadow-dom actively asserts isolation against a hostile-CSS fixture on every snippet change.

Data Residency

Customer data is stored in a single region: AWS US East (North Virginia) via our Supabase database. All event ingestion, dashboard queries, AI diagnosis, and backups execute in that region. We do not replicate to other regions or transfer data across jurisdictions.

EU/UK residency is not currently offered. If your compliance program requires data to stay in a specific region outside us-east-1, email tyler@onboardics.com — we'll let you know if it's on the roadmap or blocks your evaluation.

Tenant Isolation

Every customer's data is logically isolated using PostgreSQL Row-Level Security (RLS) policies. Each API request is verified against project ownership before returning any data.

• Row-level security enforced at the database layer — not application-level checks that can be bypassed
• Shared authentication helper (requireProjectAccess) verified on every endpoint
• Build-time CI check prevents any new endpoint from bypassing the isolation helper — the deploy fails if the rule is violated
• Cross-tenant data access is structurally impossible, not just policy-prohibited
• Superadmin access restricted to a single whitelisted email with audit logging on every request

Authentication & Access

• Login via Google OAuth or magic link (no passwords stored)
• Session tokens issued by Supabase Auth with JWT verification
• API keys scoped per project, never shared across accounts
• XSS protection: all user input sanitized before storage (HTML tags stripped, entities escaped)
• CORS configured to allow only the onboardics.com origin
• Security headers enforced: HSTS (max-age 63072000), CSP frame-ancestors 'self' directive (modern W3C standard replacing legacy X-Frame-Options header), X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy restrictive, Content-Security-Policy with explicit allowlists

Compliance

Onboardics is designed with privacy by default.

• GDPR compliant — we provide a Data Processing Agreement (DPA) for customers who need one
• CCPA compliant — we do not sell personal data
• Data deletion requests honored within 30 days. Contact tyler@onboardics.com
• Cookie consent integration via Termly — works with your existing consent management platform
• Tracking snippet exposes a setConsent(true|false) hook for direct consent management platform integration. Default behavior honors navigator.globalPrivacyControl. Call window.__onboardics.setConsent(false) on consent banner decline (or GPC signal) to stop all tracking. Termly is auto-detected and wired automatically — if you use Termly, you don’t need to write any consent integration code; the snippet reads Termly’s analytics consent from localStorage on load and re-checks every 30 seconds for mid-session changes. Cookiebot and OneTrust currently require manual setConsent() wiring; auto-detection for those is on the roadmap. Custom consent flows are always supported via the same hook.
• Zero cookies — the tracking snippet stores session state in localStorage only, never in cookies. Simplifies your cookie policy disclosure.
• Subresource Integrity (SRI) — for customers with strict content security requirements, we publish an immutable hashed URL of the tracking snippet at /v1/<hash>.js alongside the canonical /v1.js. The current hash plus paste-ready integrity="sha384-..." attribute is available as JSON at /v1/manifest.json. Use the hashed URL with SRI in your <script> tag to pin to exactly this byte sequence and have the browser reject any tampered load.
• Automatic JS error capture with PII redaction (default on, opt-out via setErrorCapture(false)). Before any error data leaves the browser, a 9-pattern redaction chain strips Bearer tokens, provider API keys (sk_test_…, pk_live_…), URL query-string secrets (password, token, api_key, auth, secret, credentials, session, bearer, jwt), email addresses, UUIDs in URL paths, long numeric IDs in URL paths, credit-card-like digit sequences, phone numbers, and Mac/Linux home-directory paths (/Users/…, /home/…). Capped at 10 error events per session, deduplicated by message+file+line+column. Error capture inherits the consent gate — when setConsent(false), error events are not emitted either.
• Form-field-name denylist redacts common PII field names before emission (ssn, credit, cvv, card, password, token, secret, api_key, auth, bank, routing, iban, passport, license, taxid). We never capture form values — only interaction events (focus, blur, submit) with the field name and form ID.
• Bot traffic is flagged at the event metadata level (_bot: true) not client-side-dropped. Preserves evidence so dashboards can filter or include bot traffic at read time — no silent data loss that would hide data-quality issues like crawler floods or headless-browser monitoring.
• Data retention policies enforced per plan tier (30 days Free/Diagnose, 90 days Deploy, unlimited Scale/Business)
• Post-cancellation data retained 30 days for reactivation, then permanently deleted

Enterprise readiness

We're transparent about where we are on the enterprise checklist. If you're an InfoSec or procurement reviewer, this is your short-circuit read:

Shipped today

• Tenant isolation via PostgreSQL RLS with build-time CI enforcement
• TLS 1.2+ in transit, AES-256 at rest, single-region US data residency (AWS us-east-1)
• PII redaction (9 patterns), form-field denylist, SRI-pinnable snippet, Shadow DOM isolation with CI regression gate
• GDPR-ready with DPA Disclaimer, CCPA-compliant, Termly/CMP integration, setConsent() hook, navigator.globalPrivacyControl honored
• Fail-closed rate limiting, $200/month Anthropic spend circuit breaker, HMAC-signed unsubscribe tokens
• Customer-operated snippet pause — disable tracking for your project in one click, ~30-second propagation, no engineering intervention required
• Snippet self-defense — top-level error trap, circuit breaker (auto-disables any browser session emitting >20 internal errors in 10 seconds), internal error telemetry to our own Sentry project for real-time visibility into customer-site breakage
• Responsible disclosure process with 48-hour response commitment

In progress

• SOC 2 Type II — targeting Q4 2026. Security controls described on this page reflect the operational practices SOC 2 evaluates. If SOC 2 is a hard procurement gate, contact us with your target date and we'll tell you honestly whether we can meet it.

Not yet available

• SAML SSO & SCIM provisioning — magic link + Google OAuth today. SAML is on the roadmap for our Enterprise tier.
• Customer-facing audit log exports — internal audit logging exists for superadmin and sensitive operations; exportable per-user logs are roadmap.
• Formal third-party penetration test + report — planned alongside SOC 2. Happy to share results of ad-hoc audits we've run internally.
• EU data residency — single-region US today. EU/UK residency isn't on the near-term roadmap; let us know if it's a deal blocker.
• HIPAA BAAs — we don't currently sign BAAs. If you're in healthcare, contact us before evaluating.
• Uptime SLA with service credits — not offered at current tiers. Custom SLAs available for negotiated Business contracts.
• ISO 27001 — not planned; we're prioritizing SOC 2 as the US-equivalent standard.

How to evaluate us

Email tyler@onboardics.com with your security questionnaire, target timeline, and specific procurement requirements. Typical turnaround on a completed questionnaire is 48 hours. If any item above is a hard blocker, we'll tell you directly rather than slow-playing a deal we can't close.

We're pre-revenue and intentionally honest about this list. Most competitors at our stage either have the same gaps without acknowledging them, or have SOC 2 but lack the technical depth documented above (RLS-enforced tenant isolation, CI-enforced security checks, SRI pinning, shadow DOM isolation). Pick the combination that matches your risk tolerance.

Pin a specific snippet version (SRI)

Why: if your compliance program requires subresource integrity on third-party scripts, or your audit process needs a verifiable record of exactly which bytes run on your site, Onboardics publishes every snippet release at an immutable, content-addressed URL with a SHA-384 integrity attribute. The browser refuses to execute the file if even one byte has changed.

How: fetch the current hash and integrity string from our manifest:

curl https://onboardics.com/v1/manifest.json

The manifest returns { url, integrity, sha384_hex, size_bytes, generated_at }. Paste the url and integrity into your install tag:

<script
  src="https://onboardics.com/v1/<hash>.js"
  integrity="sha384-<base64>"
  crossorigin="anonymous"
  data-key="YOUR_KEY"
  async></script>

Trade-off: pinning means the byte sequence you audited stays verifiable — but it also means you won't receive snippet updates until you rotate the hash. When we ship a new snippet, the old hashed URL stays up for a grace period and then 404s, so pinned installs break loudly rather than silently diverging. The canonical /v1.js install (without SRI) always works and always gets the latest bytes.

Roadmap: we're planning an opt-in webhook + email notification when we publish a new snippet version, so pinned-install customers can queue the update ahead of the old URL expiring. Email tyler@onboardics.com if this would be useful for your team — we prioritize features customers ask for.

Customer-operated snippet pause

Every project admin can disable the Onboardics tracking snippet for their project at any time, without uninstalling it. No ticket, no support queue, no engineering intervention — one click in your dashboard.

Where: Settings → Pause tracking (visible to admin-role members only).

How it works: pausing flips a server-side flag on your project. Your next snippet telemetry request (≤30 seconds) receives a kill signal and halts. The decision is cached in each visitor's browser for one hour, so stopping new events takes effect as fast as a round-trip and remains in effect across page loads. Resume anytime from the same section — tracking begins flowing again on each visitor's next page load.

What it doesn't do: pausing does NOT delete any existing data. Your historical events, funnel data, and dashboards stay intact. You just stop collecting new events for the pause window.

When to use it:

• Major redesign in progress — avoid polluting your funnel with test traffic from staging or pre-release flows.
• Deployment window — keep the baseline clean during a release so you can compare before/after honestly.
• Suspected snippet-vs-site conflict — if your engineering team flags the snippet as a suspect during an incident, pause it to isolate the variable while you investigate.
• Compliance or legal hold — a temporary analytics halt requested by legal, your DPO, or a specific regional ruling.
• Load tests — avoid skewing your real-user data with synthetic traffic.

Note for Terms reviewers: the pause control is Customer's designated mitigation path under the Terms of Service. Customer is responsible for monitoring the snippet's behavior on Customer's sites and invoking this control promptly if an issue arises. Onboardics' liability for consequential damages is limited per the Terms.

Report a Vulnerability

If you discover a security vulnerability in Onboardics, please report it responsibly to tyler@onboardics.com. We take all reports seriously and will respond within 48 hours.

We do not currently offer a formal bug bounty program, but we appreciate and acknowledge responsible disclosures.