Operalta - Conversational Memory Platform

Operalta handles sensitive company data, including strategic decisions, financial metrics, and confidential conversations. Security and privacy are fundamental to our platform.

1. Authentication & Access Control

✓ Password Security

Passwords hashed with bcrypt (via Supabase Auth)
Minimum 8 characters required
Passwords never stored in plaintext

✓ Multi-Factor Authentication (MFA)

SMS-based OTP via Bird (MessageBird)
6-digit codes with 10-minute expiry
Required for sensitive operations (password reset with MFA enabled)
Session binding to prevent token replay

✓ Session Management

JWT-based sessions with automatic refresh
Tokens stored in HTTP-only, Secure, SameSite cookies
7-day session expiry with refresh token rotation
Automatic session invalidation on password change

✓ Authorization

PostgreSQL Row-Level Security (RLS) on all tables
Company-scoped access control
Role-based permissions (founder, advisor, investor, observer)

2. Attack Prevention

✓ Brute Force Protection

Rate limiting on all authentication endpoints (Redis-based)
Password reset: 5 requests per 15 minutes per email
OTP send: 3 requests per 5 minutes per phone number
OTP verify: 10 attempts per 5 minutes + 3 attempts per code (DB-level)
Chat API: 40 requests per minute per user

✓ Timing Attack Prevention

Constant-time comparison for OTP verification (timingSafeEqual)
Hashed OTP codes stored in database (SHA-256)

✓ CSRF Protection

SameSite=Lax cookies by default
Same-origin policy enforced
API routes validate session tokens

✓ Input Validation

Schema validation with Zod on all API endpoints
XSS prevention via React's automatic escaping
SQL injection prevention via parameterized queries (Supabase)
Input sanitization for user-generated content

3. Data Encryption

✓ Encryption in Transit

TLS 1.2+ for all connections
HTTPS enforced on all endpoints
HSTS headers enabled

✓ Encryption at Rest

Database: AES-256 Transparent Data Encryption (Supabase)
File storage: Server-side encryption (AES-256)
Backups: Encrypted with separate keys

4. Infrastructure Security

Hosting (Vercel)

DDoS protection and Web Application Firewall (WAF)
Automatic security patches
Edge functions in EU region (Frankfurt)
SOC 2 Type II certified

Database (Supabase)

Data stored in eu-central-2 (Zurich, Switzerland)
Isolated VPC with network security
Automated daily backups with point-in-time recovery
SOC 2 Type II certified

Rate Limiting (Upstash Redis)

Distributed rate limiting across edge
EU region (Frankfurt)
Fail-open design (service continues if Redis unavailable)

5. Compliance & Privacy

GDPR

Data Processing Agreements with all sub-processors
Right to access, rectification, and erasure
Data portability (JSON/CSV export)
72-hour breach notification

Data Retention

30-day deletion window after account closure
Backups purged within 90 days
Audit logs retained 7 years (EU requirement)

No data selling: We never sell your data. AI providers (Anthropic, Mistral) do not retain data after processing per their DPAs. Your data is not used to train AI models for other customers.

6. Security Practices

✓Dependency scanning and automatic security updates
✓Code review required for all changes
✓Environment variables for all secrets (never committed to code)
✓Least privilege access for team members
✓Security-focused error handling (no sensitive data in error messages)

7. Responsible Disclosure

If you believe you have found a security vulnerability, please report it to us immediately:

Email: security@operalta.com

Please include detailed steps to reproduce the vulnerability. We commit to acknowledging reports within 48 hours and working with security researchers to resolve issues quickly.

We appreciate responsible disclosure and will not take legal action against researchers who report vulnerabilities in good faith.

For questions about our security practices, contact security@operalta.com

Security at Operalta