Security

Protecting your data is fundamental to how we build Ottly. Here is an overview of the measures we take to keep your information secure.

Infrastructure

  • Ottly is hosted on Amazon Web Services (AWS), leveraging its enterprise-grade physical and network security.
  • All services run in isolated containers within private subnets, with no direct public internet access to backend systems.
  • Infrastructure is managed as code using Pulumi, ensuring consistent and auditable deployments.

Data Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 encryption provided by our database and storage providers.
  • Sensitive credentials such as OAuth tokens are encrypted at the application level before storage.

Authentication & Access Control

  • User authentication is handled via secure session tokens with short-lived access tokens and rotating refresh tokens.
  • Social login (Google OAuth) is supported with industry-standard OAuth 2.0 flows.
  • All API endpoints enforce authentication and authorization checks.

Application Security

  • Workflow code execution runs in sandboxed environments isolated from the main application.
  • Input validation and output encoding are applied to prevent injection attacks.
  • Dependencies are regularly reviewed and updated to address known vulnerabilities.

Data Handling

  • We do not sell or share your data with third parties for advertising purposes.
  • LLM API calls are made using provider APIs that do not use your data for model training.
  • You can delete your account and associated data at any time.

Incident Response

  • We maintain monitoring and alerting systems to detect unusual activity.
  • In the event of a security incident, affected users will be notified promptly.
  • Security concerns can be reported to hello@ottly.com.