Skip to content
OokoSign In
Back
On this page
Security

What Ooko stores, isolates, and does not do.

Honest documentation of our current security model. If a control you require is missing, it's listed below — Ooko does not have it today.

Architecture

Ooko is a Next.js 14 application deployed on Vercel, backed by a managed Supabase project (PostgreSQL + GoTrue auth). A user's browser talks to Vercel edge functions, which talk to Supabase over TLS. No large language model is in the request path. Payload generation is pure string manipulation on our server; the clipboard write that delivers the payload to the employee-facing document happens entirely in the admin's browser.

What we store

  • auth.users — email + Supabase-managed password hash, session tokens.
  • honeypotsid, user_id, title, target_department, tracker_id, source_text, created_at.
  • We store source_text in plain text. We do this deliberately: the payload is rebuilt on every page load from the stored text so the tracker ID remains stable and the copy stays reproducible. Storing only a hash would break the product. Supabase's managed Postgres provides at-rest disk encryption.
  • We do not store telemetry about end recipients. There is no webhook, no outbound LLM call, no analytics beacon on the document or its copies.

Tenant isolation

The honeypots table enforces Row-Level Security. These are the exact policies in our schema:

create policy "users read own honeypots"
  on public.honeypots for select
  using (auth.uid() = user_id);

create policy "users insert own honeypots"
  on public.honeypots for insert
  with check (auth.uid() = user_id);

create policy "users delete own honeypots"
  on public.honeypots for delete
  using (auth.uid() = user_id);

A compromised session token can only read that user's own rows; a misconfigured client library can't widen scope.

What we do NOT have

Be direct about the absence of controls a larger buyer may require. Ooko today does not have:

  • SOC 2 Type I or Type II attestation.
  • ISO 27001 certification.
  • HIPAA or PCI scope.
  • SSO / SAML / SCIM integration.
  • Role-based access control beyond one-user-per-account.
  • Audit logs of read, delete, or admin activity.
  • Customer-managed encryption keys or BYOK.
  • A negotiated Data Processing Agreement or MSA template.
  • Regional data residency controls.

If you require any of the above to sign, Ooko is not the right tool for you at this time. We'd rather tell you now than fail a security review on your side.

Reporting security issues

Reach us through the sign-in flow, then use the account email we respond from for vulnerability disclosures. We aim to acknowledge within two business days. Please do not file security reports in public issues or support channels.