OwnerCFO
Get started

Trust

Trust Center

We believe in radical transparency about our security posture. This page tells you what protections are in place today, what certifications we hold (and don't), and where we're heading.

Last updated: 24 May 2026

Compliance Status

SOC 2 Type II (via Supabase)

Our database infrastructure is hosted on Supabase, which holds SOC 2 Type II certification. Your data lives in their certified environment.

In place

ISO 27001 (via Supabase)

Supabase holds ISO 27001 certification for its managed infrastructure.

In place

SOC 2 Type II (via Vercel)

Our web hosting and edge functions run on Vercel, which holds SOC 2 Type II certification.

In place

PCI DSS Level 1 (via Stripe)

All payment processing is handled by Stripe (PCI DSS Level 1). We never store card data.

In place

TLS 1.3 + AES-256 encryption

All data encrypted in transit and at rest by default.

In place

Row-Level Security (RLS) on all tables

Database-native tenant isolation — not just application-layer access control.

In place

SOC 2 Type I (Owner CFO Ltd, own scope)

Planned Q4 2026. We will audit our own operational controls, not just our providers'.

Roadmap

SOC 2 Type II (Owner CFO Ltd, own scope)

Planned Q2 2027, following Type I.

Roadmap

ISO 27001 (Owner CFO Ltd, own scope)

Planned 2027.

Roadmap

GDPR adequacy / EU data residency option

Currently data is in ap-northeast-1. EU residency option planned if customer demand warrants.

Roadmap

Subprocessors

These are the third-party services that process your data as part of delivering Owner CFO. We maintain Data Processing Agreements with each.

ProviderRoleData involvedCertifications
SupabaseDatabase, auth, storageAll customer dataSOC 2 Type II, ISO 27001
VercelHosting, CDN, edgeRequest logs, env varsSOC 2 Type II
StripeBilling paymentsBilling name, address onlyPCI DSS Level 1, SOC 2
OpenRouterAI routingTransaction descriptions, receipt images (transient)SOC 2 (in progress)
DeepSeekAI text modelTransaction descriptions (transient, via OpenRouter)
Qwen (Alibaba Cloud)Receipt OCRReceipt images (transient, via OpenRouter)ISO 27001 (Alibaba Cloud)
ResendTransactional emailEmail address, notification contentSOC 2 Type II

We will provide 14 days' notice of any material change to this list.

AI & Data Privacy

When you use AI categorisation or receipt OCR, transaction descriptions and/or receipt images are sent to OpenRouter, which routes them to DeepSeek or Qwen models. This is a transient API call — the data is not persistently stored by those providers for training purposes (per our API agreements).

We never use your Customer Data to train our own models, and we do not sell it.

You can disable AI features in Settings → Account → AI features if you prefer purely heuristic categorisation.

Contact

Security issues: security@ownercfo.com

Privacy matters: privacy@ownercfo.com

General questions: support@centriweb.com

See also: Security Architecture · Privacy Policy · Data Processing Addendum