Skip to main content
At OrgX, security isn’t an afterthought—it’s foundational to how we build. This page outlines our security posture, data handling practices, and compliance roadmap.

Data Storage

Primary Database

OrgX uses Supabase Postgres as the primary datastore:
  • Encryption at rest: All data encrypted using AES-256
  • Encryption in transit: TLS 1.3 for all connections
  • Row-Level Security (RLS): Every table has RLS policies ensuring users only access their own data
  • Backups: Daily automated backups with point-in-time recovery

User Data Isolation

-- Example RLS policy
CREATE POLICY "users_own_data" ON initiatives
  FOR ALL USING (
    owner_id = auth.uid() OR
    workspace_id IN (
      SELECT workspace_id FROM workspace_members
      WHERE user_id = auth.uid()
    )
  );
Every query automatically filters to the authenticated user’s data.

Authentication

User Authentication

OrgX uses Clerk for user authentication:
  • Email/password with strong password requirements
  • Google OAuth
  • Passkey support (WebAuthn)
  • Multi-factor authentication (MFA) available

API Authentication

SurfaceMethodToken Type
Web AppClerk sessionShort-lived JWT
MCP ServerOAuth 2.1Access token (24h)
WebhooksHMAC signatureN/A
Service-to-serviceAPI keyLong-lived

Session Management

  • Sessions expire after 7 days of inactivity
  • Concurrent sessions allowed (configurable)
  • Remote session revocation available in settings

Secrets Management

Integration Tokens

Tokens from connected services are stored securely:
TokenStorageEncryption
Linear access tokenusers tableColumn-level encryption
GitHub access tokenusers tableColumn-level encryption
Stripe keysEnvironment variablesPlatform-managed
MCP JWT secretEnvironment variablesPlatform-managed

Key Rotation

Secret TypeRotation FrequencyMethod
OAuth tokensOn expiry/revokeAutomatic refresh
API keysManualSettings UI
JWT signing keysQuarterlyRolling deployment
If you suspect a token has been compromised, revoke it immediately in Settings → Integrations and reconnect.

Access Controls

Role-Based Access

RolePermissions
OwnerFull workspace access, billing, user management
AdminFull access except billing changes
MemberAccess to assigned initiatives, approve decisions
ViewerRead-only access to dashboards

Permission Boundaries

  • Agents only access data explicitly granted via scopes
  • MCP tools declare required permissions
  • Audit log tracks all permission-sensitive actions

Agent Security

Autonomy Limits

Agents operate within configured boundaries: 
interface AgentLimits {
  max_tokens_per_run: number; // Prevent runaway costs
  max_tool_calls: number; // Prevent infinite loops
  allowed_tools: string[]; // Whitelist of tools
  budget_threshold: number; // $$ limit before escalation
}

Tool Gating

// Tools are gated by scope and policy
const registry = buildPolicyAwareToolRegistry({
  requestedTools: ['github.create_pr'],
  grantedScopes: user.scopes, // Must include 'github:write'
  projectId: project.id,
});

Verification Layer

Every artifact passes through verification before shipping:
  1. Citation check (sources exist and are accessible)
  2. Policy check (no PII, no secrets, brand compliant)
  3. Contract check (output matches expected schema)
  4. Budget check (within token/latency limits)

Audit Trail

What We Log

Event TypeData Captured
AuthenticationUser ID, timestamp, method, IP
API callsEndpoint, params, response code, duration
Agent runsTools called, tokens used, artifacts created
DecisionsAction taken, user, timestamp, note
Data accessTable, row IDs, operation

Retention

Log TypeRetention
Security events12 months
Agent telemetry90 days
Decision historyIndefinite
API access logs30 days

Access to Logs

  • Mission Control: View recent activity
  • Settings → Audit Log: Full searchable history
  • Export: Download logs for compliance reviews

Network Security

Infrastructure

  • Hetzner: Application and agent runtime hosting
  • Cloudflare: MCP server, edge protection, DDoS mitigation, and WAF
  • Supabase: Managed Postgres with network isolation

Security Headers

All responses include security headers: 
// middleware.ts
headers.set('X-Content-Type-Options', 'nosniff');
headers.set('X-Frame-Options', 'DENY');
headers.set('X-XSS-Protection', '1; mode=block');
headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
headers.set('Content-Security-Policy', CSP_POLICY);

Rate Limiting

EndpointLimitWindow
Auth endpoints10 req1 min
API reads100 req1 min
API writes30 req1 min
MCP tools60 req1 min

Incident Response

Response Process

  1. Detection: Automated monitoring + user reports
  2. Triage: Severity assessment within 1 hour
  3. Containment: Immediate action to limit impact
  4. Resolution: Root cause fix and deployment
  5. Communication: User notification if data affected
  6. Review: Post-incident analysis and improvements

Contact

Report security issues to: [email protected] We respond to all security reports within 24 hours.

Compliance Roadmap

Current State

ComplianceStatus
GDPR✅ Data minimization, deletion, export
CCPA✅ Opt-out, access requests
SOC 2 Type I🔜 In preparation
SOC 2 Type II🔜 Following Type I
HIPAA❌ Not applicable (no PHI)

Data Processing

  • Subprocessors: Hetzner, Cloudflare, Supabase, Stripe, OpenAI
  • Data location: Primary application/runtime infrastructure on Hetzner; managed data storage in Supabase; enterprise region commitments available on request
  • DPA: Available on request for enterprise customers

Your Rights

You can:
  • Export all your data (Settings → Export)
  • Delete your account and data (Settings → Account)
  • Correct inaccurate data (Settings → Profile)
  • Restrict processing (contact support)

Best Practices

Multi-factor authentication significantly reduces account takeover risk. Enable it in Settings → Security.
Periodically review which integrations have access. Remove any you no longer use in Settings → Integrations.
Grant agents and team members only the permissions they need. Start restrictive and expand as needed.
Regularly review the audit log for unexpected activity, especially after onboarding new team members or integrations.

Questions?

Security Contact

Report vulnerabilities or ask questions.

Privacy Policy

Full privacy policy.