Your data security is our priority
38os is built with enterprise-grade security practices to ensure your business data is protected at every layer of the stack
Encryption
All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Your information is protected both when stored on our servers and when moving between your browser and our infrastructure.
Authentication
User authentication is handled through Supabase Auth with support for email/password login and Google OAuth. Sessions are securely managed with HTTP-only cookies and automatic token rotation.
Infrastructure
38os is hosted on Vercel's edge network for application delivery, with our database infrastructure on Supabase (running on Amazon Web Services). We benefit from Vercel's global CDN and AWS's world-class physical security, automated backups, and redundant data storage.
Data Isolation
Every workspace is logically isolated at the database level using Supabase Row Level Security (RLS) policies. This ensures users can only ever access data belonging to their own workspace, even at the query level.
AI Privacy
AI features are powered by Anthropic Claude. Your data is processed in real time for generating insights and is not stored by Anthropic. Critically, Anthropic does not use API inputs for model training, so your business data never trains the AI.
Access Control
Role-based access control supports four permission levels: Owner, Admin, Member, and Viewer. Each role has granular permissions controlling who can create, edit, delete, or view workspace content.
How we handle your data
Transparency is central to our approach to security. Here is how your data flows through 38os.
Where is my data stored?
Your data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure. Databases are encrypted at rest and backed up automatically on a regular schedule.
Who has access to my data?
Only authorized members of your workspace can access your data, governed by role-based permissions. On our side, access to production data is restricted to essential engineering personnel, protected by multi-factor authentication, and logged for audit purposes.
How does AI use my data?
When you use the AI advisor or generate audit modules, your business data is sent to the Anthropic Claude API for processing. This happens in real time: your data is used to generate the response and is not retained by Anthropic afterward. Your data is never used to train or fine-tune AI models.
How is my data deleted?
When you delete your account, all associated personal data and workspace content is permanently removed from our systems within 30 days. You can also request selective data deletion by contacting our support team. Automated backups containing deleted data are cycled out within the same retention window.
Compliance & Certifications
We are committed to meeting the highest standards of data protection and are actively working toward formal compliance certifications.
Security Foundations
- Data protection best practices
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Row Level Security isolation
- Role-based access controls
- Secure cloud infrastructure (AWS)
- Automated backup and recovery
- Responsible disclosure program
Upcoming Certifications
- SOC 2 Type II certification
- GDPR compliance program
- Penetration testing program
- Security audit by third party
Responsible Disclosure
If you discover a security vulnerability in 38os, we encourage you to report it responsibly. We take all security reports seriously and will investigate promptly.
Please email security vulnerabilities to:
security@38os.comPlease include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence. We ask that you give us reasonable time to address the issue before disclosing it publicly.