Security at OneVision
Protecting your team's data is foundational to how we build OneVision. Here's a plain-language look at the safeguards in place today.
How we protect your data
Security is layered across our infrastructure, our application, and our development process. These are the core measures we have in place.
Tenant isolation
Every customer’s data lives behind PostgreSQL row-level security with FORCE RLS enabled, so records are scoped to their tenant at the database level — not just in application code.
Encrypted in transit
All traffic between your browser and OneVision is protected with TLS. Data moving across the network is encrypted end to end.
Private managed databases
Our databases run as private, managed instances on DigitalOcean with no public internet access — they are reachable only from within our protected network.
Secure authentication
Passwords are hashed with bcrypt — never stored in plain text — and sessions are authenticated using signed JSON Web Tokens (JWT).
Monitoring & audit logging
A dedicated audit-logging service records key activity, while OpenTelemetry tracing and Sentry error monitoring give our team visibility to detect and investigate issues quickly.
Secure development pipeline
Every change is automatically scanned for leaked secrets with gitleaks in CI, and Dependabot keeps our dependencies patched and up to date.
Security practices at a glance
A summary of the technical safeguards currently in place across OneVision.
Data isolation
OneVision is multi-tenant by design. We enforce tenant separation at the database layer using PostgreSQL row-level security with FORCE RLS, so each organization can only ever read and write its own data. This protection sits below the application, adding a strong safeguard even in the unlikely event of an application-level mistake.
Encryption
All connections to OneVision are encrypted in transit using TLS. Our databases are private, managed instances that are not exposed to the public internet.
Authentication
Account passwords are hashed with bcrypt and are never stored in a readable form. Authenticated sessions use signed JSON Web Tokens (JWT).
Monitoring and logging
We operate a dedicated audit-logging service to record key activity, alongside OpenTelemetry distributed tracing and Sentry error monitoring. Together these give our engineering team the visibility needed to detect, investigate, and respond to issues.
Secure development
Every code change is automatically scanned for accidentally committed secrets using gitleaks in our continuous-integration pipeline, and Dependabot keeps our third-party dependencies patched and up to date.
Report a security issue
If you believe you have found a security vulnerability in OneVision, we want to hear from you. Please reach out to our team directly and we will investigate.
security@onevision.io