Trust & Compliance

Built on EU infrastructure. Encrypted end-to-end. Audited at every layer.

A single landing page for security teams running diligence on OKRs Tool. What's true, where data lives, and which certifications you inherit by using us.

Data in EU only AES-256 + TLS 1.3 SAML SSO + 2FA GDPR compliant

Data & privacy

Where your data lives, how it's encrypted, and what you can do with it.

EU data residency

All customer data stored in AWS Ireland (eu-west-1) — data never leaves the EU.

Encryption at rest

AES-256 — applied to every byte of customer data on disk.

Encryption in transit

TLS 1.2 / 1.3 on every connection. Older protocols disabled.

GDPR compliant

Full GDPR alignment including lawful basis, retention controls, and sub-processor disclosure.

Right to erasure

Immediate hard delete of all org data on request — no soft-delete window.

Right to portability

Personal JSON export, org-level Excel export (OKRs, check-ins, users), audit log CSV, and full REST API.

Application security

Controls applied inside OKRs Tool — per-user, per-org, per-request.

Two-factor authentication

TOTP-based 2FA — optional per user, or enforced org-wide by admins.

Row-level isolation

Row Level Security on every data table — orgs are fully isolated at the database layer.

Scoped API keys

API keys scoped per org with full request logging on every call.

Webhook signature verification

All inbound webhook endpoints verify cryptographic signatures before processing.

Service role isolation

The service role key never reaches the browser. Only backend processes hold privileged credentials.

MFA step-up enforcement

AAL1 / AAL2 session levels — sensitive actions can require fresh MFA re-authentication.

Access controls

How sign-in, roles, and sessions are managed across your org.

SAML 2.0 SSO

On the Expand plan. Supports Entra/AAD, Okta, Google Workspace, and any SAML 2.0 IdP.

Role-based access

Four roles — Admin, Manager, Member, Viewer. Permissions scoped per workspace and per team.

Org-enforced MFA

Admins can require MFA across the whole org — users without 2FA can't sign in.

Session management

1-hour JWT, 30-day refresh token. Tokens rotate on use, revoke on sign-out, and expire on inactivity.

Audit & compliance

Every meaningful action recorded, retained indefinitely, exportable on demand.

Full audit log

Every OKR, KR, check-in, review, member change, role change captured with actor and timestamp.

Indefinite retention

Audit log entries are never deleted — full org history available for compliance review.

CSV export

Export the audit log to CSV with a date range picker — ready for security questionnaires or board reviews.

Inherited certifications

OKRs Tool inherits SOC 2, ISO 27001, PCI DSS from our infrastructure providers — listed in the next section.

Backups & recovery

Database backups taken automatically, retained for one week.

Daily automated backups

Full database backup taken every 24 hours — no manual action required.

7-day retention

Backups retained for 7 days, available for restore in disaster recovery scenarios.

Inherited certifications

The vendors powering OKRs Tool.

OKRs Tool inherits compliance certifications from the providers below. Every layer of our stack — from network edge to payments — is run on certified infrastructure.

Cloudflare

Network edge, DDoS protection, WAF

SOC 2 Type IIISO 27001

AWS

Compute, storage, regional hosting (EU)

SOC 1SOC 2SOC 3ISO 27001PCI DSS

Supabase

Database, auth, real-time sync

SOC 2 Type II

Stripe

Payments and billing

PCI DSS Level 1

Resend

Transactional email delivery

SOC 2 Type II

Read the details

Trust documents.

Each of these is a standalone page covering its topic in depth — for procurement teams and security questionnaires.

Security overview

How we protect data at every layer.

GDPR

Data subject rights and EU compliance.

Sub-processors

Every vendor that touches your data.

Privacy policy

What we collect, how we use it.

Cookie policy

What cookies we set and why.

Terms of service

The legal terms covering your use.

Available on request

Documents for your vendor review.

If you're going through a procurement or security review, email Steven to request any of the following — we typically respond within one business day.

Signed DPA (Data Processing Agreement) — standard GDPR template ready to countersign.
Security questionnaire — we'll fill out yours, or share our standard answers (SIG Lite, CAIQ, etc.).
Sub-processor change notifications — subscribe to be notified before any sub-processor is added or changed.
Infrastructure compliance reports — copies of SOC 2 and ISO 27001 reports from our infrastructure providers, under NDA.

Direct line

Got a security question?

Email Steven directly. Every security email is answered personally — usually within one business day. No support tier escalation, no vendor portal, just a reply.

Email Steven

Steven Macdonald

Founder & security contact