Security

How we protect your data, in one page.

A plain-language overview of OTP's security practices. For the full posture — subprocessors, compliance status, incident response — see the Trust & Security page. For live health, see status.

Security practices

01

Architecture & tenant isolation

OTP is a multi-tenant application. Every organization's data is scoped to that organization at the application layer on every route, and cross-organization reads pass through a single shared visibility control. This boundary was traced and verified in a recent code-level security audit. Isolation is enforced in the application, not via database row-level security — we state that plainly.

02

Authentication & access control

User authentication is handled by Clerk, a dedicated managed identity provider — we do not roll our own session or password handling. Inside an organization, access is role-based, and privileged actions are bounded so a member cannot escalate their own privileges. Administrative access uses session authentication; the one automation path uses an environment-held secret compared in constant time.

03

Encryption

All traffic is served over TLS (HTTPS). Data is encrypted in transit; stored file attachments are held encrypted. Invitation, API, and OAuth tokens are stored only as salted hashes, never in plaintext.

04

Secrets, dependencies & delivery

Application secrets live only in the deployment environment, never in source control. The production dependency tree passes a clean security audit with zero known vulnerabilities, and dependencies are kept current. Every change to production must pass automated type-checking, a security-regression test suite, and a build before it can merge — enforced by branch protection.

05

Inbound integrations

Webhooks from third parties (billing, identity) are cryptographically signature-verified against the raw request body before any payload is trusted. Cross-origin requests are restricted to an explicit allowlist.

06

Your data, your control

You can bring your own AI key, so AI processing runs on your own model provider rather than ours. Data export is available on request and honored quickly; account and organization deletion are supported. Leaving is designed in, not bolted on.

07

Meeting transcripts & redaction

Raw meeting transcripts are never stored. Every transcript passes through automated redaction the moment it is ingested, on every ingestion path including the API: sensitive content (emails, phone numbers, financial figures, credentials, names) is replaced with tokens in memory and the original is discarded. You review and may edit the redacted version before anything is saved. Any deviation from the automated redaction is user-initiated: the editor warns inline when an edit reintroduces sensitive-looking content, edited transcripts require an explicit acknowledgment before saving, and every change is immutably attributed in an append-only, admin-readable, exportable audit trail recording who changed what, when, after what warning, and under what acknowledgment. Even reads of that trail are logged.

Responsible disclosure

Found something? Tell us.

We welcome reports from security researchers and treat them as a gift, not a threat. If you believe you've found a vulnerability, email security@orgtp.com with enough detail to reproduce it.

What to expect

We acknowledge reports within 1 business day, keep you updated as we investigate, and credit you once a fix ships if you'd like.

Good-faith safe harbor

Testing done in good faith under this policy — without harming data, degrading service, or accessing others' information — will not lead to legal action from us.

In scope

orgtp.com and its API. Authentication, tenant isolation, injection, access control, and data-exposure issues are of particular interest.

Please avoid

Automated scanning that degrades service, social engineering of our team or customers, physical attacks, and accessing or modifying data that isn't yours. Report, don't exploit.

Machine-readable: /.well-known/security.txt

Reviewing OTP for your organization? The full Trust & Security page covers subprocessors, compliance status, and data processing.