Security
Australian-hosted, encrypted at rest and in transit, isolated per-organisation at the database level. We take security seriously so you can focus on running your business.
From the database to the edge, every layer of OneBookPlus is designed to keep your business data safe.
Your data is hosted in Australia via Supabase on AWS ap-southeast-2 (Sydney). Frontend served from Vercel's Edge Network with Australian PoPs. Your business data never needs to leave the country.
AES-256 encryption at rest for all database storage. TLS 1.3 encryption in transit for every request. Passwords hashed with bcrypt — we never store or see your plaintext password.
Powered by Supabase Auth with multi-factor authentication (MFA) support via TOTP authenticator apps. Brute force protection with account lockout. Configurable session timeouts and idle lockouts.
Every database table is protected by Postgres Row Level Security (RLS) policies. Queries are scoped by tenant_id at the database layer — not just application code — so data isolation is enforced even if a bug bypasses the app.
Every query, every API call, and every server action is scoped by tenant_id. Organisations cannot see, modify, or access another organisation's data. Isolation is enforced at the database, API, and middleware layers.
Four-tier permission model — Owner, Admin, Staff, and Viewer — enforced server-side on every request. Roles control access to sensitive operations like billing, team management, data export, and destructive actions.
All payment processing is handled by Stripe Connect, a PCI DSS Level 1 Service Provider — the highest level of payment security certification. Credit card numbers, CVVs, and sensitive payment data never touch OneBookPlus servers. Stripe handles tokenisation, fraud detection, and secure storage so your customers' payment information is always protected.
We build on industry-leading providers so you get enterprise-grade security without enterprise complexity.
Frontend hosting & Edge Network
Global CDN with Australian PoPs. Automatic HTTPS, DDoS protection, and edge caching.
Database, Auth & Storage
Postgres with RLS, Supabase Auth with MFA, hosted on AWS Sydney (ap-southeast-2).
Payment processing
PCI DSS Level 1 compliant. All card data handled by Stripe — never touches our servers.
Transactional email
DKIM-signed, SPF-authenticated email delivery for invoices, reminders, and notifications.
SMS delivery
SMS marketing and notifications via Twilio's secure API with Australian sender IDs.
We meet the standards that matter for Australian businesses — and we're working toward more.
We comply with all 13 Australian Privacy Principles under the Privacy Act 1988 (Cth). Your data is collected, used, and disclosed in accordance with Australian law.
For users in the European Economic Area, we comply with the General Data Protection Regulation. Data processing agreements are available on request.
All payment card data is processed by Stripe, a PCI DSS Level 1 Service Provider. Card numbers never touch OneBookPlus servers.
We are working toward SOC 2 Type II certification for our security, availability, and confidentiality controls. Our infrastructure providers (AWS, Vercel, Supabase) are already SOC 2 certified.
Security isn't a one-time checkbox — it's how we build and operate every day.
Automated vulnerability scanning on every pull request. Critical CVEs are patched within 48 hours.
Runtime dependencies, database extensions, and infrastructure components are kept up to date on a continuous release cycle.
Internal access to production systems follows the principle of least privilege. Database credentials are rotated regularly.
Security-sensitive operations — logins, permission changes, data exports, and billing actions — are logged with timestamps and actor IDs.
Code reviews, automated linting, type-safe database queries, and server-side validation on every endpoint. No raw SQL — all queries go through Supabase's typed client with RLS enforced.
Documented response plan with clear severity levels and notification timeframes — users within 24 hours, the ATO Digital Partnership Office the same business day, and the OAIC within 72 hours for eligible data breaches. Read the plan.
We're happy to discuss our security practices in more detail. Reach out and we'll get back to you within 24 hours.
Related pages
Tools & Apps