Security at ONTHEBIAS.

Every workspace is logically isolated. Projects, canvas state, OBIE conversations, generated assets, and brand uploads are scoped to the workspace that owns them and enforced at the database layer with row-level security, so one customer's data is never reachable from another customer's session. Designs you create are never pooled or shared across accounts.

All traffic to and from the platform is encrypted in transit with TLS 1.2 or higher. Data at rest - your database records, uploaded brand assets, and generated files in object storage - is encrypted using AES-256. Backups are encrypted with the same standard.

Accounts are protected by Supabase Auth. Passwords are hashed and salted; we never store them in plaintext and we cannot see them. Email confirmation and magic-link sign-in are supported, and session tokens are short-lived and refreshed server-side.

SSO and SAML are available on Enterprise plans, so your team can sign in through your existing identity provider and offboard users centrally. Contact us to set it up for your workspace.

Workspaces use role-based access - owner, admin, member, and viewer - so you decide who can edit, who can invite, and who can only view. Inside ONTHEBIAS, access to production systems is limited to the people who need it, granted on a least-privilege basis, and logged.

OBIE and our generation pipeline run on commercial AI APIs from Anthropic and Google. We use their no-training commercial tiers, which means your prompts, uploaded images, and outputs are sent only to fulfill the request you made in the moment and are not used to train their models. Your design content is never used to train any model we own.

We keep your data for as long as your workspace is active so the platform works the way you expect. When you delete a project, canvas, or asset it is removed from the live system, and from backups on the normal backup rotation.

You can export your data at any time. After account termination you have 30 days to export, after which we may permanently delete it.

All billing runs through Stripe, a PCI DSS Level 1 certified processor. Card details are entered directly with Stripe and tokenized - full card numbers never touch our servers and we never store them.

If you believe you have found a security issue, tell us. Email security@onthebias.co with the details and steps to reproduce, and we will acknowledge and work the report. We ask that you give us a reasonable window to fix an issue before disclosing it publicly, and that you avoid accessing or modifying other users' data while testing.

See also /.well-known/security.txt

We use a small set of vetted infrastructure and service providers to run the platform. Each receives only the data it needs to do its job. See the full list of subprocessors for what each one handles and where.

If your organization needs a signed Data Processing Agreement to cover GDPR or other obligations, email legal@onthebias.co and we will get one in place.

Security is never finished. We are working toward a SOC 2 Type II report, formal penetration testing on a recurring cadence, and expanded audit logging exposed to workspace admins. We will update this page as those controls land.