OwnerCFO
Get started

Trust & Safety

Security

Financial data is among the most sensitive data a business holds. This page explains exactly how Owner CFO protects yours — with honesty about what we do and do not have in place.

Last updated: 24 May 2026

Honest Disclosure

Owner CFO is an early-stage product. We have not yet completed a formal SOC 2 or ISO 27001 audit for our own operations. However, our entire infrastructure runs on providers that are themselves SOC 2 Type II and ISO 27001 certified. We are working toward our own certifications — see the roadmap below.

Architecture

Owner CFO is a Next.js 14 application (App Router) hosted on Vercel, backed by Supabase (PostgreSQL 17 + Auth + Storage) hosted in the ap-northeast-1 (Tokyo) region.

  • Supabase holds SOC 2 Type II and ISO 27001 certifications for its managed infrastructure.
  • Vercel holds SOC 2 Type II certification.
  • Your database, auth tokens, and uploaded files (receipts) never leave the Supabase ap-northeast-1 region during normal operation.
  • AI features route through OpenRouter to DeepSeek (text) and Qwen2.5-VL (vision). These are transient API calls — data is not persistently stored by these providers.

Encryption

In transit

TLS 1.3 enforced on all connections. HTTP to HTTPS redirect at the CDN layer. No plaintext transport.

At rest

AES-256 encryption for all data at rest (Supabase + Vercel defaults). Receipt files in Supabase Storage are encrypted at rest.

Passwords

Handled by Supabase Auth (bcrypt). We never see or store plaintext passwords.

API keys

Service-role keys are environment variables, never exposed to the browser. The anon key is public by design — it grants no elevated access.

Access Control

Row-Level Security (RLS) is enabled on every table in the database. This is PostgreSQL-native isolation — your data is invisible to other accounts at the database layer, not just the application layer.

Even if there were a bug in the application code, a correctly authenticated user for Entity A cannot read, write, or delete records belonging to Entity B. The database enforces this independently.

We use a four-role model within each entity:

RoleAccess
OwnerFull access including billing and team management
ShareholderFull read + write except team and billing
AccountantBusiness-only rows; category and GST only
ViewerRead-only on business rows

Multi-factor authentication (TOTP) is available and recommended. Enable it in Settings → Security.

Our internal team accesses production data only through Supabase's authenticated dashboard, with MFA enforced. No direct database credentials are shared via unsecured channels.

Audit Logging

Critical operations — transaction classifications, category changes, GST return filings — are written to an immutable txn_audit_log table. Each row records the user, timestamp, action, and before/after values.

Data export requests are logged to a separate data_export_audit table, providing a chain of custody record.

We are building toward surfacing the audit log as a user-facing feature ("Why did this number change?") — currently available internally.

Payments & PCI DSS

Owner CFO is not PCI DSS certified — and does not need to be, because we never store or process card data directly.

All payment processing is handled by Stripe, which is a PCI DSS Level 1 Service Provider (the highest level of certification). Card numbers never touch our servers.

Incident Response

In the event of a confirmed security incident affecting customer data:

  1. We contain and assess the incident within 24 hours of detection.
  2. We notify affected customers by email within 72 hours of confirming a breach (aligned with GDPR Article 72 and NZ Privacy Act 2020 notification obligations).
  3. We provide details of what was accessed, what we're doing, and what you should do.
  4. We report to the NZ Privacy Commissioner if the breach is notifiable under the Privacy Act 2020.

To report a suspected security issue, email security@ownercfo.com. We acknowledge all reports within 48 hours.

Vulnerability Disclosure

We welcome responsible disclosure from security researchers. Email security@ownercfo.com with details of any vulnerability you discover. We will:

  • Acknowledge your report within 48 hours
  • Investigate and validate within 14 days
  • Coordinate disclosure timing with you
  • Credit you publicly (with your permission)

A formal bug bounty programme is planned for Q3 2026. Until then, we have no financial rewards but commit to ethical researcher engagement.

Security Roadmap

What we're working toward — these are targets, not guarantees:

Q3 2026Annual penetration test (third-party)
Q3 2026Formal bug bounty programme launch
Q4 2026SOC 2 Type I audit
Q2 2027SOC 2 Type II audit
2027ISO 27001 certification (own scope)

Security contact: security@ownercfo.com

See also: Trust Center · Privacy Policy · Data Processing Addendum