Security
Your data is
our responsibility.
Australian-hosted, encrypted at rest and in transit, isolated per-organisation at the database level. We take security seriously so you can focus on running your business.
Security built into every layer.
From the database to the edge, every layer of OneBookPlus is designed to keep your business data safe.
Australian data residency
Your data is hosted in Australia via Supabase on AWS ap-southeast-2 (Sydney). Frontend served from Vercel's Edge Network with Australian PoPs. Your business data never needs to leave the country.
Encryption everywhere
AES-256 encryption at rest for all database storage. TLS 1.3 encryption in transit for every request. Passwords hashed with bcrypt — we never store or see your plaintext password.
Secure authentication
Powered by Supabase Auth with multi-factor authentication (MFA) support via TOTP authenticator apps. Brute force protection with account lockout. Configurable session timeouts and idle lockouts.
Row-level security
Every database table is protected by Postgres Row Level Security (RLS) policies. Queries are scoped by tenant_id at the database layer — not just application code — so data isolation is enforced even if a bug bypasses the app.
Multi-tenant isolation
Every query, every API call, and every server action is scoped by tenant_id. Organisations cannot see, modify, or access another organisation's data. Isolation is enforced at the database, API, and middleware layers.
Role-based access control
Four-tier permission model — Owner, Admin, Staff, and Viewer — enforced server-side on every request. Roles control access to sensitive operations like billing, team management, data export, and destructive actions.
Payment security — PCI DSS Level 1
All payment processing is handled by Stripe Connect, a PCI DSS Level 1 Service Provider — the highest level of payment security certification. Credit card numbers, CVVs, and sensitive payment data never touch OneBookPlus servers. Stripe handles tokenisation, fraud detection, and secure storage so your customers' payment information is always protected.
Infrastructure you can trust.
We build on industry-leading providers so you get enterprise-grade security without enterprise complexity.
Vercel
Frontend hosting & Edge Network
Global CDN with Australian PoPs. Automatic HTTPS, DDoS protection, and edge caching.
Supabase
Database, Auth & Storage
Postgres with RLS, Supabase Auth with MFA, hosted on AWS Sydney (ap-southeast-2).
Stripe
Payment processing
PCI DSS Level 1 compliant. All card data handled by Stripe — never touches our servers.
Resend
Transactional email
DKIM-signed, SPF-authenticated email delivery for invoices, reminders, and notifications.
Twilio
SMS delivery
SMS marketing and notifications via Twilio's secure API with Australian sender IDs.
Compliance & certifications.
We meet the standards that matter for Australian businesses — and we're working toward more.
Australian Privacy Principles (APPs)
CompliantWe comply with all 13 Australian Privacy Principles under the Privacy Act 1988 (Cth). Your data is collected, used, and disclosed in accordance with Australian law.
GDPR
CompliantFor users in the European Economic Area, we comply with the General Data Protection Regulation. Data processing agreements are available on request.
PCI DSS Level 1
Via StripeAll payment card data is processed by Stripe, a PCI DSS Level 1 Service Provider. Card numbers never touch OneBookPlus servers.
SOC 2 Type II
In progressWe are working toward SOC 2 Type II certification for our security, availability, and confidentiality controls. Our infrastructure providers (AWS, Vercel, Supabase) are already SOC 2 certified.
Ongoing security practices.
Security isn't a one-time checkbox — it's how we build and operate every day.
Dependency auditing
Automated vulnerability scanning on every pull request. Critical CVEs are patched within 48 hours.
Regular security updates
Runtime dependencies, database extensions, and infrastructure components are kept up to date on a continuous release cycle.
Least privilege access
Internal access to production systems follows the principle of least privilege. Database credentials are rotated regularly.
Audit logging
Security-sensitive operations — logins, permission changes, data exports, and billing actions — are logged with timestamps and actor IDs.
Secure development lifecycle
Code reviews, automated linting, type-safe database queries, and server-side validation on every endpoint. No raw SQL — all queries go through Supabase's typed client with RLS enforced.
Questions about
security?
We're happy to discuss our security practices in more detail. Reach out and we'll get back to you within 24 hours.