Security
Last updated: February 2026
Security is fundamental to ObitoX. We implement multiple layers of protection to keep your data and API infrastructure secure. This page details our security practices.
Encrypted
TLS 1.3 + AES-256
HMAC Signed
SHA-256 auth
SOC 2 Ready
Enterprise grade
Audited
Regular testing
Security Overview
ObitoX follows the principle of defense in depth. Every layer of our infrastructure is designed with security in mind, from the application code to the physical data centers. We regularly audit our systems and work with security researchers to identify and fix vulnerabilities.
Data Encryption
In Transit
All data transmitted between clients and our servers is encrypted using TLS 1.3 with modern cipher suites. We support HSTS and do not allow legacy protocols.
At Rest
Sensitive data stored in our databases is encrypted using AES-256. Encryption keys are managed through Supabase's key management service.
API Security
All API requests are authenticated using cryptographic signatures. This prevents tampering and ensures request integrity.
Multi-layer rate limiting protects against abuse. We use memory guard (0-2ms), Redis (5-20ms), and database quotas.
Strict input validation and sanitization prevents injection attacks. All user input is treated as untrusted.
Timestamp and nonce validation prevents replay attacks. Requests older than 5 minutes are rejected.
API keys are stored as one-way bcrypt hashes. We never store keys in plaintext.
Infrastructure Security
Edge Network
Deployed on Vercel's global edge network with automatic DDoS protection and WAF rules.
DDoS Protection
Automatic mitigation at the edge. Traffic anomalies are detected and blocked before reaching our origin.
Database Security
Row-level security (RLS) policies ensure data isolation. Each user can only access their own data.
Tenant Isolation
Strict separation between tenant data. No cross-tenant access is possible at the database level.
Abuse Prevention
We employ multiple techniques to detect and prevent abuse:
AI-powered anomaly detection identifies suspicious patterns
Gentle slowdowns before hard blocks
Complete trail of all API activity
Rate Limit Tiers
| Tier | Requests/min | Requests/month |
|---|---|---|
| Free | 10 | 10,000 |
| Pro | 100 | 100,000 |
| Enterprise | 1,000 | 1,000,000+ |
Monitoring & Incident Response
Real-time monitoring of all systems with automated alerting
Dedicated team with defined escalation procedures
Root cause analysis and preventive measures for all incidents
Automated daily backups with point-in-time recovery
Responsible Disclosure Program
We appreciate security researchers who help us keep ObitoX secure. If you discover a security vulnerability, we ask that you report it responsibly.
What We Promise
- Response within 48 hours
- Public recognition (if desired)
- No legal action for good-faith research
- Bounty rewards for valid findings
What We Ask
- Report via email (not public disclosure)
- Allow reasonable time to fix
- Do not access user data
- Do not test on production accounts
Please include: vulnerability description, reproduction steps, and potential impact.
Compliance & Certifications
Full compliance with EU data protection regulations
Expected completion: Q2 2026
California Consumer Privacy Act compliance
Information security management certification
Security Best Practices for Users
Help us keep your account secure by following these recommendations:
Minimum 12 characters with mixed case, numbers, and symbols
Add an extra layer of security to your account
Regularly rotate your API keys (recommended: every 90 days)
Check your usage dashboard regularly for anomalies
Never commit API keys to version control
Contact us immediately if you suspect unauthorized access