Security

Security is foundational to Ostler. Here’s how your data is protected.

Tenant isolation

Every organisation’s data is separated at the database level with PostgreSQL row-level security, so one customer can never see another’s records.

Encryption

• In transit: all traffic is served over HTTPS with HSTS enforced.
• At rest: the database and file storage are encrypted.
• Integration tokens (e.g. Xero) are encrypted with AES-256-GCM before storage.

Authentication & access

• Authentication is handled by Supabase, with email/password, magic links and prefetch-safe reset.
• Single sign-on with Microsoft Entra is available.
• Role-based access (owner / admin / member) with granular per-area permissions.

Payments

Subscriptions are processed by Stripe (PCI-DSS Level 1). We never see or store full card numbers.

Platform & hardening

• Hosted on Vercel; database, auth and storage on Supabase.
• Security headers (HSTS, no-sniff, clickjacking and referrer protection) on every response.
• Least-privilege service access and signed, verified webhooks.

Responsible disclosure

Found a vulnerability? Please email hello@ostler.io— we’ll respond promptly and work with you on a fix.