Security and trust you can verify.

Infrastructure and Hosting

Owlie runs on Cloudflare Workers and Durable Objects with PostgreSQL on Neon. This architecture minimizes long-lived server exposure while preserving tenant-scoped application state where needed.

• Cloudflare Workers and Durable Objects for application runtime
• PostgreSQL on Neon for primary relational data storage
• Object storage used for sync archives and related operational data

Tenant Isolation

Owlie is designed as a multi-tenant platform with tenant-scoped request handling, sessions, durable object state, and data access patterns across core services including authentication, API access, provisioning, and sync.

• Tenant context enforced across core service boundaries
• Tenant-bound sessions and service state
• Tenant-scoped data access patterns throughout the platform

Authentication and Sessions

Owlie supports strong account security controls including MFA, passkeys, secure session handling, CSRF protections, and controls intended to reduce account abuse and user enumeration.

• Support for TOTP and passkeys
• Tenant-bound cookies and session rotation
• CSRF protections on authentication flows
• Rate limiting on sensitive authentication paths
• Support for OPAQUE-based password authentication, so raw user passwords are not stored by Owlie

Encryption and Secret Handling

Owlie uses TLS 1.2 or higher for data in transit. Primary PostgreSQL data stored in Neon is encrypted at rest with AES-256, and Owlie uses a dedicated key management service to protect sensitive tenant-scoped secrets and selected sensitive attributes within the application layer.

• TLS 1.2 or higher for data in transit
• AES-256 encryption at rest for PostgreSQL storage via Neon
• Tenant-bound encryption context and versioned tenant keys
• KMS-backed protection for sensitive integration configuration and selected provisioning attributes
• Sensitive credentials decrypted only when required for authorized runtime operations

Internal Service Security

Sensitive internal operations use authenticated service-to-service communication, scoped internal identities, and audited access to encryption functions and key operations.

• SSO and MFA for internal access to critical systems
• Restricted production access for Owlie personnel
• Scoped internal service identities for sensitive operations
• Policy-restricted access to key management operations
• Audit logging for key encryption and decryption events

Authentication and Login Controls

Owlie allows tenants to configure supported authentication methods, MFA options, and additional login-flow requirements for their users.

• Configurable authentication methods including magic link, password, OPAQUE-based password auth, and OAuth / SSO
• Configurable MFA methods including OTP and passkeys
• Custom login steps such as legal agreements and progressive profiling

Approvals and Auditability

Owlie supports approval-based access request workflows, fulfillment controls, and audit-style timelines for request and access changes.

• Approval-based access request workflows
• Ticket-gated manual fulfillment paths
• Audit-style event timelines for request and access changes

Access Controls and Experience Separation

Owlie is designed with role-based controls and distinct product experiences for end users and administrators.

• Role-based access controls to limit who can perform sensitive actions
• Separate admin and end-user dashboard experiences
• Approval-based controls for selected high-sensitivity workflows

Integration Controls

Connector configuration is tenant-scoped, connection flows are validated, and sensitive connector credentials are protected and only decrypted when needed for authorized operations.

• Tenant-scoped connector configuration and credentials
• Validated connection and callback flows
• Runtime-only decryption of sensitive connector secrets

Controlled Automation

Customer-submitted functions run in isolated worker runtimes, with outbound network access deny-by-default and optional allowlists for approved destinations.

• Isolated worker runtimes for customer-submitted code
• Deny-by-default outbound network access
• Allowlists for approved external destinations

Trust Center and Compliance

Owlie's Trust Center contains security documentation and review materials, including formal artifacts shared as part of customer and auditor review processes.

• SOC 2 Type II audit in progress
• Third-party penetration testing as part of Owlie's security program
• Public privacy, terms, and data processing documentation available for review
• Security review materials shared through the Trust Center

Security Contact and Legal

If you believe you've identified a security issue, please review our disclosure process or contact our security team directly.

Owlie reviews and triages security reports through the disclosure process, and the Privacy Policy, Terms, Data Processing Addendum, and Acceptable Use Policy are publicly available to support customer review.