Trust & Security

What we do with your data, stated plainly.

OTP is pre-SOC 2 and targeting SOC 2 Type II within six months. We document our controls openly here rather than hide behind a badge we have not yet earned. Our infrastructure runs on Railway, which is SOC 2 Type II certified and HIPAA compliant.

Last updated June 17, 2026

The network boundary

If you publish to OTP, here is exactly who sees what.

Private by default. Your operational data is scoped to your organization and is never exposed on any cross-org surface unless you take an explicit action to publish it.

Stays private to you

  • Quarterly priorities / Rocks
  • Issues and To-Dos
  • KPIs and scorecard values
  • Meeting data (leadership / L10)
  • Org chart
  • Member identities and profiles

Visible only when you publish

Each of these requires an explicit action by you.

  • Published learnings Only after you explicitly publish a learning to the network.
  • Best practices Only practices your organization chooses to publish.
  • Coordination patterns Derived only from published learnings, never from private data.
  • Org profile and chart Only if you set the organization profile to public.
  • KPIs Only KPIs you explicitly mark public.
private organizations

Organizations flagged private are hard-excluded from every cross-org surface — browse, search, the intelligence graph, recommendations, published best-practices listings, and the network API — regardless of any per-item publish setting.

Enforced through a single shared control so the rule cannot drift between surfaces. A boot-time check rebuilds the network data view to include the same exclusion.

Privacy is all-or-nothing at the organization level; there is no per-item private override.

Multi-tenant by design. Every record (priorities, to-dos, KPIs, meetings, org chart, learnings) carries an organization ID, and every request is bound to one organization before any data is read.

Tenant scoping is enforced in the application layer on every route, and every cross-org read additionally passes through one shared visibility control. We disclose plainly that isolation is enforced in the application, not via database row-level security.

Infrastructure & encryption

Where your data lives and how it is protected.

Hosting
Application and managed PostgreSQL 16 run on Railway. File storage on Cloudflare R2. Railway is SOC 2 Type II certified and HIPAA compliant; its SOC 2 report, BAAs, and penetration-test reports are available from Railway on request (trust.railway.com).
Data residency
EU West — Amsterdam, Netherlands (Railway region europe-west4).
Encryption
In transit, all connections use TLS. At rest, all customer data is encrypted at the storage layer by Railway, and service secrets carry an additional layer of encryption, decrypted only when needed. Application-issued tokens (demo access, email unsubscribe, admin impersonation) are signed with HMAC-SHA256 and verified in constant time. There is no application-level column encryption.
Retention
The realtime sync event log is pruned daily and retained 30 days. Audit logs are retained for 12 months. Most records use soft-delete (rows retained with a deletion timestamp for audit) until a hard-delete request is processed.
Backups & recovery
Daily automated PostgreSQL backups at 05:00 UTC, retained 30 days, stored in Railway-managed backup storage (EU West) and encrypted at rest. Recovery Point Objective 24 hours; Recovery Time Objective under 1 hour. Restores are performed and integrity-verified via the Railway dashboard, and restore operations are logged.
Data handling

Deletion, export, and AI processing.

Deletion
Day-to-day deletes are logical (soft-delete) so data can be recovered and audit trails preserved. On a verified deletion or right-to-be-forgotten request, personal data is permanently removed within 7 days.
Export
OTP imports from Ninety.io and Bloom Growth exports. Customers may request a copy of their data; a self-serve export endpoint is on the roadmap.
AI processing
Some features (Ask AI, Rock AI) send the relevant organization content for that request to Anthropic's Claude API to generate a response. Anthropic does not train its models on data submitted through its paid API. OTP sends only the content needed for the requested feature, not your full data set.
Abuse protection
Abuse protection via per-IP rate limiting (100 requests/minute globally, with tighter limits on sensitive endpoints such as newsletter signup).
Access & security controls

The controls running on every request.

Authentication
Clerk-managed OAuth. OTP stores no passwords.
API access control
API keys are hashed (SHA-256) at rest and presented as bearer tokens.
Tenant isolation
Every request is bound to one organization before any data is read.
Privileged access
Admin "view-as" uses a signed cookie that binds the action to the acting admin for audit.
Audit logging
Organization registration, publishing, and key actions are recorded with actor and entity, retained 12 months.
Webhook verification
Inbound webhooks are verified via signature on the raw request body.
Compliance

Honest status, not borrowed badges.

We are an early-stage protocol. We tell you exactly where we are.

SOC 2 Type II
OTP application — targeting Q4 2026.
In progress
GDPR
Customer data hosted in the EU (Amsterdam). DPA available on request.
Supported
Infrastructure (Railway)
Hosting and managed database. Reports available from Railway on request.
SOC 2 Type II · HIPAA
Penetration testing
Infrastructure provider (Railway) is penetration tested; OTP application test planned alongside SOC 2.
Planned
Subprocessors

Every third party that may process data.

Railway
Cloud hosting & managed PostgreSQL
Runs the OTP application and primary database. SOC 2 Type II, HIPAA. US company; data hosted in EU West (Amsterdam)
Clerk
Authentication
User authentication and session management. OTP stores no passwords. United States
Cloudflare R2
File / object storage
Stores uploaded files and assets. Global edge
Resend
Transactional & newsletter email
Delivers account, notification, and newsletter email. United States
Stripe
Billing & payments
Processes subscription billing. Card data is handled by Stripe, not OTP. United States
Svix
Webhook delivery
Webhook relay and signature verification. United States
Anthropic
AI processing
Powers Ask AI and Rock AI. Receives only the content needed for a given request. Does not train on data submitted via its paid API. United States
Google Ads
Marketing conversion tracking
Conversion measurement on public marketing pages only. Does not touch customer operational data inside the app. United States
Incident response

If something goes wrong, you hear from us in three hours.

On confirming a security incident affecting customer data, we contain it and notify affected organizations within 3 hours, followed by a written post-incident summary.

No reportable security incidents to date.

Questions teams ask us

The answers your reviewers want.

If I publish to OTP, who can see my data?

By default, nothing. Your operating data stays private to your organization. Only items you explicitly publish (learnings, selected best practices, or a profile or KPIs you mark public) appear on the network.

Is my operational data (priorities, KPIs, meetings) ever shared?

No. Those are private to your organization and never appear on any cross-org surface.

Can I keep my whole organization off the network?

Yes. A private organization is hard-excluded from every cross-org surface through a single enforced control.

Where is my data stored?

In the EU, in Railway's Amsterdam region, encrypted at rest, with daily encrypted backups retained 30 days.

Do you use my data to train AI models?

No. AI features send only the content needed for that request to Anthropic's Claude API to generate your response, and Anthropic does not train on data submitted through its paid API.

Can I delete or export my data?

Yes. On a verified deletion request, personal data is permanently removed within 7 days. You can request a copy of your data, and a self-serve export is on the roadmap.

Are you SOC 2 or GDPR compliant?

We are pre-SOC 2 and targeting SOC 2 Type II within six months; our infrastructure already runs on SOC 2 Type II, HIPAA-compliant Railway. For GDPR, customer data is hosted in the EU and a DPA is available on request.

Reviewing OTP for your team?

We respond to security inquiries within 1 business day. Our Data Processing Agreement is available on request.

Contact security →

security@orgtp.com

OTP, LLC · Fairfield, NJ 07004, USA