Security

Security at OKRs Tool.

Enterprise-grade protection for teams of any size. We take data seriously — that starts with secure infrastructure, privacy-first design, and transparent practices.

Last updated: 5 May 2026

Section 1
Our security approach

In short: Security is layered. We combine secure infrastructure with strict application-level controls and transparent practices.

OKRs Tool is built for teams who care about how their data is handled. Whether you're a 50-person company evaluating us against an enterprise platform or a 200-person organization finalizing procurement, this page documents what we do to protect your data.

Our security posture sits across four layers: infrastructure (where data is hosted), application (how the platform protects data day-to-day), access (who can see what), and response (what happens if something goes wrong).

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Across every layer.

Role-based access

Granular permissions per workspace. Audit trail on sensitive actions.

72-hour breach notification

Where legally required, we notify within the GDPR window.

SOC 2 infrastructure

Hosted on SOC 2 Type II audited infrastructure providers.

Section 2
Infrastructure & encryption

OKRs Tool runs on infrastructure with independent SOC 2 Type II audits. This means our underlying hosting environment has been evaluated against industry-standard security, availability, and confidentiality criteria by independent auditors.

Specifically:

  • Encryption in transit. All connections use TLS 1.2 or higher. We do not accept legacy SSL or unencrypted HTTP for any data exchange.
  • Encryption at rest. Data stored in our databases and backups is encrypted using industry-standard AES-256 encryption.
  • DDoS protection & WAF. Cloudflare provides DDoS mitigation and a web application firewall on all incoming traffic.
  • Annual penetration testing. Our infrastructure undergoes annual third-party penetration testing.
  • Continuous monitoring. Infrastructure monitoring runs 24/7 with automated alerting for anomalies.

Note on certification: OKRs Tool's underlying infrastructure is independently SOC 2 Type II audited. OKRs Tool itself has not yet completed an independent SOC 2 audit at the application layer. We can share infrastructure audit reports under NDA on request — contact info@okrstool.com.

Section 3
Access controls

Security at the application layer is about who can see what. Our practices:

  • Role-based access control (RBAC). Workspaces support predefined roles — Owner, Admin, Member, Viewer — with different permissions per role.
  • Single Sign-On (SSO). Available on the Expand plan via SAML and Google Workspace SSO.
  • Two-factor authentication (2FA). Available for all users on every plan.
  • Privacy rules. Fine-grained controls govern who can view or modify OKRs at the workspace level. Sensitive workspaces can be restricted to specific roles.
  • Audit logs. Sensitive actions are logged with user, action, and timestamp. Logs are available to workspace admins on the Expand plan.
  • Internal access. Access to customer data by OKRs Tool staff is restricted to a small number of authorized engineers, requires explicit business justification, and is logged.

Section 4
Data hosting & availability

  • Hosting provider: Amazon Web Services (AWS)
  • Server regions: US & EU (configurable per workspace on enterprise plans)
  • Backups: Daily automated backups with secure point-in-time recovery
  • Uptime monitoring: 99.9% uptime SLA on Expand plan; status page available
  • Observability: Performance and error monitoring via Datadog

Section 5
Incident response

If a security incident affecting customer data occurs:

  1. We detect and contain the incident through 24/7 monitoring and automated alerting.
  2. We assess the scope and impact within hours of detection.
  3. We notify affected customers within 72 hours where legally required (e.g., GDPR Article 33), or sooner where practicable.
  4. We provide a post-incident report describing what happened, what data was affected (if any), and what we're changing to prevent recurrence.

Customers can request a copy of incident response procedures under NDA by contacting info@okrstool.com.

Section 6
Compliance commitments

  • GDPR. Fully aligned with GDPR principles, including consent, access, and deletion rights. See our Privacy Policy for details.
  • Data Processing Agreement (DPA). Available to customers upon request — email dpo@okrstool.com.
  • Google API compliance. Use of Google APIs (Calendar, Sheets) adheres to the Google API Services User Data Policy, including Limited Use requirements. See our Google User Data section in the Privacy Policy.
  • Sub-processor transparency. A current list is available at okrstool.com/sub-processors.

Section 7
Sub-processors

We rely on a small, vetted list of sub-processors to deliver the Services — primarily for cloud infrastructure, analytics, and email delivery. All sub-processors are contractually bound to confidentiality and GDPR-aligned data protection standards.

The current list is published at okrstool.com/sub-processors. We notify customers of material changes to this list with reasonable advance notice.

Section 8
Security questions?

If you're a security officer, IT lead, or compliance manager evaluating OKRs Tool, we're happy to answer questions directly:

Security & compliance:info@okrstool.com
Phone: +372 5661 4404
Data Protection Officer:dpo@okrstool.com

For larger procurement reviews, we provide:

  • Sub-processor list and DPA on request
  • Infrastructure audit reports under NDA
  • Security questionnaire responses (SIG, CAIQ, custom)
  • Direct calls with the founder for senior security stakeholders