01Infrastructure
ovia runs on major, hardened cloud infrastructure — not servers under someone's desk.
ovia is hosted on Amazon Web Services, in data centers with strong physical security and independent compliance certifications (including ISO 27001 and SOC 2). Production runs in isolated network environments with security groups, private subnets, and least-privilege service roles. We use Cloudflare for DDoS protection, DNS, and edge security.
02Encryption
All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256. Secrets and tokens are stored in a managed secrets vault, encrypted with keys that are rotated regularly and never committed to source code.
03Access controls
Inside ovia, you control who on your team and your clients can see what. Inside our company, very few people can touch production, and only when they need to.
Within the app, role-based permissions (Admin, Editor, Reviewer, Viewer, and Client-Approver) let you scope exactly what each teammate and client can access, with per-board overrides. Every status change, edit, comment, approval, and login is captured in an audit log.
Internally, access to production systems is restricted to a small number of authorized staff, granted on a least-privilege, need-to-know basis, protected by SSO and mandatory two-factor authentication, and reviewed periodically. Administrative access is logged.
04Application security
Security is part of how we build. Our practices include peer code review on every change, automated dependency and vulnerability scanning in CI, static analysis, and a documented change-management process. We patch known vulnerabilities promptly based on severity and engage independent specialists for periodic penetration testing.
05Isolation & backups
Each workspace's data is logically isolated, and the application enforces tenant boundaries on every request so one agency can never see another's content. Data is backed up regularly with encrypted, access-controlled backups, and we maintain a disaster-recovery plan with defined recovery objectives that we test.
07Availability & monitoring
We monitor the health and performance of the Service continuously, with alerting for anomalies and errors (using tools such as Sentry for diagnostics). Our public status page reports incidents and uptime. As a public beta, we're transparent that we don't yet offer a contractual uptime SLA — see the Terms.
08Compliance & privacy
We're built to GDPR and CCPA expectations and offer a DPA. We're pursuing SOC 2 — and we'll say so plainly until we have the report in hand.
We handle personal data in line with the GDPR and CCPA/CPRA, as described in our Privacy Policy, and we offer a Data Processing Addendum with EU Standard Contractual Clauses for international transfers. Our sub-processors are listed in the Privacy Policy.
We're currently working toward a SOC 2 Type II examination. We don't claim certifications we don't hold; when the report is available, we'll make it available under NDA. If your security team needs a questionnaire completed in the meantime, email hello@ovia.co.
09Responsible disclosure
If you believe you've found a security vulnerability, we want to hear from you. Email hello@ovia.co with details and steps to reproduce. We'll acknowledge your report, investigate promptly, and keep you updated. We ask that you give us reasonable time to remediate before public disclosure and avoid accessing or modifying others' data; we won't pursue good-faith research conducted under this policy.
10Your part
Security is shared. You can help keep your workspace safe by using a strong, unique password, enabling two-factor authentication, reviewing who has access to your workspace and client portals, removing teammates when they leave, and granting clients only the access they need.
06Social account credentials
We connect to social platforms with secure tokens, not passwords. You and your clients can revoke access at any time.
When you or your clients connect a social account, ovia uses the platform's official OAuth flow. We receive scoped access tokens — we never see or store social-account passwords. Tokens are encrypted at rest, request only the permissions ovia needs, and can be revoked at any time from ovia or directly from the platform.