Trust & Security

Your data security is our priority

38os is built with enterprise-grade security practices to ensure your business data is protected at every layer of the stack

Encryption

All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Your information is protected both when stored on our servers and when moving between your browser and our infrastructure.

Authentication & 2FA

User authentication via Supabase Auth with email/password login. Optional two-factor authentication (TOTP) is available in account settings — enroll any authenticator app for an extra layer of sign-in protection. Sessions use HTTP-only cookies with automatic token rotation.

Threat Protection

Multi-layer attack prevention at every entry point: a Web Application Firewall blocks path traversal attacks and known scanner bots, account lockout triggers after 5 failed login attempts, and breached password detection (via HaveIBeenPwned k-Anonymity API) prevents credential stuffing at signup and password change.

Infrastructure

38os is hosted on Vercel's edge network for application delivery, with our database infrastructure on Supabase (running on Amazon Web Services). We benefit from Vercel's global CDN and AWS's world-class physical security, automated backups, and redundant data storage.

Data Isolation

Every workspace is logically isolated at the database level using Supabase Row Level Security (RLS) policies. This ensures users can only ever access data belonging to their own workspace, even at the query level.

AI Privacy

AI features are powered by Anthropic Claude. Your data is processed in real time for generating insights and is not stored by Anthropic. Critically, Anthropic does not use API inputs for model training, so your business data never trains the AI.

Access Control

Role-based access control supports four permission levels: Owner, Admin, Membership Admin, and Member. Each role has granular permissions controlling who can create, edit, delete, or view workspace content.

Bring-Your-Own-Key (BYOK)

Lifetime-plan users can supply their own Anthropic API key. Keys are encrypted with AES-256-GCM using a per-environment master key (BYOK_ENCRYPTION_KEY) and never sent to the browser. Pending-signup passwords are encrypted with the same primitive, AAD-bound to the buyer's lowercase email.

Platform-admin access requires consent

When platform admins need to inspect a workspace, they require an active platform_access_consents row for that workspace. Missing consent throws PlatformAccessDenied (HTTP 451). All admin-client calls require {actorUserId, actorRole, reasonCode} — missing reasonCode throws.

Impersonation v2 — bounded + audited

Magic-link-based impersonation writes a row to impersonation_sessions with a partial UNIQUE index enforcing one active session per admin. Sticky red banner with live countdown; HttpOnly + non-HttpOnly cookies. proxy.ts checks TTL before WAF on every request. Cron sweeps expired rows every 15 minutes.

Sign-off + version history

Every workflow change snapshots to row_history. Analysis, intake, and strategy sign-offs (signoffs table, mig 098/100) anchor to exact past versions. The signed document is auditable forever — even after edits.

How we handle your data

Transparency is central to our approach to security. Here is how your data flows through 38os.

Where is my data stored?

Your data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure. Databases are encrypted at rest and backed up automatically on a regular schedule.

Who has access to my data?

Only authorized members of your workspace can access your data, governed by role-based permissions. On our side, access to production data is restricted to essential engineering personnel, protected by multi-factor authentication, and logged for analysis purposes.

How does AI use my data?

When you use the AI advisor or generate analysis modules, your business data is sent to the Anthropic Claude API for processing. This happens in real time: your data is used to generate the response and is not retained by Anthropic afterward. Your data is never used to train or fine-tune AI models.

How is my data deleted?

You can delete all your data directly from Settings then Danger Zone. Upon confirmation, all associated personal data and workspace content is permanently removed from our systems. A confirmation dialog is required before deletion proceeds to prevent accidental loss. You can also contact our support team to request selective data deletion.

Compliance & Certifications

We are committed to meeting the highest standards of data protection and are actively working toward formal compliance certifications.

Current

Security Foundations

  • Data protection best practices
  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Row Level Security isolation
  • Role-based access controls
  • Two-factor authentication (TOTP)
  • Account lockout after failed attempts
  • Breached password detection (HIBP)
  • Web Application Firewall (WAF)
  • Security analysis logging
  • Secure cloud infrastructure (AWS)
  • Automated backup and recovery
  • Responsible disclosure program
Planned

Upcoming Certifications

  • SOC 2 Type II certification
  • GDPR compliance program
  • Penetration testing program
  • Security analysis by third party

Responsible Disclosure

If you discover a security vulnerability in 38os, we encourage you to report it responsibly. We take all security reports seriously and will investigate promptly.

Please report security vulnerabilities via our contact page:

Contact Us

Please include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence. We ask that you give us reasonable time to address the issue before disclosing it publicly.

Ready to get started?

Start your 38os account and experience enterprise-grade security from day one.