A plain-language overview of OTP's security practices. For the full posture — subprocessors, compliance status, incident response — see the Trust & Security page. For live health, see status.
OTP is a multi-tenant application. Every organization's data is scoped to that organization at the application layer on every route, and cross-organization reads pass through a single shared visibility control. This boundary was traced and verified in a recent code-level security audit. Isolation is enforced in the application, not via database row-level security — we state that plainly.
User authentication is handled by Clerk, a dedicated managed identity provider — we do not roll our own session or password handling. Inside an organization, access is role-based, and privileged actions are bounded so a member cannot escalate their own privileges. Administrative access uses session authentication; the one automation path uses an environment-held secret compared in constant time.
All traffic is served over TLS (HTTPS). Data is encrypted in transit; stored file attachments are held encrypted. Invitation, API, and OAuth tokens are stored only as salted hashes, never in plaintext.
Application secrets live only in the deployment environment, never in source control. The production dependency tree passes a clean security audit with zero known vulnerabilities, and dependencies are kept current. Every change to production must pass automated type-checking, a security-regression test suite, and a build before it can merge — enforced by branch protection.
Webhooks from third parties (billing, identity) are cryptographically signature-verified against the raw request body before any payload is trusted. Cross-origin requests are restricted to an explicit allowlist.
You can bring your own AI key, so AI processing runs on your own model provider rather than ours. Data export is available on request and honored quickly; account and organization deletion are supported. Leaving is designed in, not bolted on.
Raw meeting transcripts are never stored. Every transcript passes through automated redaction the moment it is ingested, on every ingestion path including the API: sensitive content (emails, phone numbers, financial figures, credentials, names) is replaced with tokens in memory and the original is discarded. You review and may edit the redacted version before anything is saved. Any deviation from the automated redaction is user-initiated: the editor warns inline when an edit reintroduces sensitive-looking content, edited transcripts require an explicit acknowledgment before saving, and every change is immutably attributed in an append-only, admin-readable, exportable audit trail recording who changed what, when, after what warning, and under what acknowledgment. Even reads of that trail are logged.
We welcome reports from security researchers and treat them as a gift, not a threat. If you believe you've found a vulnerability, email security@orgtp.com with enough detail to reproduce it.
We acknowledge reports within 1 business day, keep you updated as we investigate, and credit you once a fix ships if you'd like.
Testing done in good faith under this policy — without harming data, degrading service, or accessing others' information — will not lead to legal action from us.
orgtp.com and its API. Authentication, tenant isolation, injection, access control, and data-exposure issues are of particular interest.
Automated scanning that degrades service, social engineering of our team or customers, physical attacks, and accessing or modifying data that isn't yours. Report, don't exploit.
Machine-readable: /.well-known/security.txt
Reviewing OTP for your organization? The full Trust & Security page covers subprocessors, compliance status, and data processing.