Trust

Security

Security is a first-class concern at OTTOPILOTE. We protect customer code, customer data, and our own infrastructure through engineering practice, vendor selection, and a clear disclosure policy.

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified provider) with TLS 1.3 enforced site-wide.
  • Source code stored in private repositories on GitHub with branch protection and code review.
  • Secrets managed through environment variables and provider secret stores — never committed to source.
  • Production access limited to a small number of authorized engineers with multi-factor authentication.

Engineering practices

  • Dependencies pinned and reviewed; automated security alerts on every push.
  • Linting and type-checking enforced in CI before any deployment.
  • Deployments are immutable and versioned; rollback is instantaneous.

Data handling

We collect the minimum data needed to deliver our Services. Customer data and project data are stored in encrypted databases provided by reputable cloud vendors (e.g., Supabase, AWS, GCP) under written processor agreements. See our Privacy Policy for details on retention and your rights.

Compliance roadmap

OTTOPILOTE is at the early stage of its compliance program. We are aligning our internal controls with the SOC 2 framework and intend to seek a SOC 2 Type I audit during 2026. We do not currently claim SOC 2, ISO 27001, or HIPAA certification. We will publicly update this page when audits are completed.

Responsible disclosure

If you believe you have found a security vulnerability, please email contact@ottopilote.com with the subject line "Security disclosure". Please give us a reasonable opportunity to remediate before public disclosure. We will acknowledge your report within five business days and keep you informed of the resolution.

Contact

For any security or trust questions, write to contact@ottopilote.com.