Live production can't go down mid-show. We take security and reliability seriously and publish what we do so you can verify it.

Infrastructure

• Hosted on Vercel (frontend) and Railway (API) with Supabase-managed Postgres.
• TLS 1.3 everywhere. HSTS preload enabled.
• All data encrypted at rest (AES-256) and in transit.
• Daily encrypted database backups with point-in-time recovery.
• Cloudflare R2 for default attachment storage; BYOS via Google Drive supported.

Authentication

• JWT access tokens with short TTL and rotating refresh tokens.
• TOTP 2FA available on all accounts; required on Newsroom tier.
• Passwords hashed with bcrypt (cost factor 12+).
• Session revocation and cross-tab sync on logout.
• SSO / SAML available on the Newsroom tier.

Application

• Multi-tenant data isolation enforced at the database and application layers.
• Role-based access control (RBAC) with custom per-organization permissions.
• Rate limiting and abuse detection on all public endpoints.
• Input validation with Zod; SQL injection impossible via Prisma ORM.
• CSP, X-Frame-Options, and full security header suite on every response.

Monitoring

• Error tracking via Sentry with privacy-safe data scrubbing.
• Structured logging (Pino) with audit trails on sensitive operations.
• 24/7 uptime monitoring; status page for incidents.

Responsible disclosure

Found a security issue? Email security@onairflow.com. We'll acknowledge receipt within one business day. We don't yet run a bug bounty program but appreciate responsible disclosure and will credit researchers.

Compliance

GDPR and CCPA compliant. SOC 2 Type II audit on the Newsroom-tier roadmap. HIPAA and FedRAMP are not in scope — OnAirFlow is not certified for those workflows.