Ozer Trust Centre

Security and data protection are foundational to Ozer. We're committed to keeping your client data, business information, and team communications safe — and being transparent about how we do it.

Last updated: July 2026

Compliance

SOC 2 — planned
ISO 27001 — via AWS

GDPR

Ozer is designed to comply with the UK GDPR and EU GDPR. We act as a Data Processor for the data you store in Ozer, and as a Data Controller for the account and usage data we collect directly. We do not sell your data to third parties under any circumstances.

UK ICO Registration

Ozer is operated by Oodle Design Ltd, a UK registered company. We are registered with the UK Information Commissioner's Office (ICO) as a data controller.

Data Processing Agreement

Our standalone Data Processing Agreement (UK GDPR Article 28) is available at /dpa and as a downloadable file at /legal/ozer-dpa.md. Questions: privacy@ozer.so.

SOC 2 Type II (Roadmap)

We are working toward SOC 2 Type II certification. Our infrastructure provider (Supabase/AWS) already holds SOC 2 Type II certification — details available at supabase.com/security.

Sub-processors

Ozer engages the following sub-processors to deliver the service. This register matches our Privacy Policy and DPA. Integrations that are not yet shipped are excluded.

NamePurposeData (high level)Location note
Supabase / AWSDatabase, auth, storageWorkspace and account dataEU West (Ireland)
StripeSaaS billing and ConnectCustomer IDs, subscription status; card PAN stays with Stripe[LEGAL REVIEW NEEDED]
AnthropicLLM featuresWorkspace / email / transcript text prompts[LEGAL REVIEW NEEDED]
GoogleGmail, Calendar, Workspace; Gemini if enabledMailbox, calendar, directory; AI prompts if wired[LEGAL REVIEW NEEDED]
Microsoft GraphSignatures directory and mailbox settingsStaff profile, photo, mailbox settings[LEGAL REVIEW NEEDED]
ZeptoMailTransactional emailRecipient, subject, HTML bodyEU API endpoint used in product
Bunny.netVideo hosting (Stream)Media files and video metadata[LEGAL REVIEW NEEDED]
Voyage AIEmbeddings (Second Brain) when keyedChunk / query text[LEGAL REVIEW NEEDED]
SonioxCloud realtime STT (web path)Audio stream / transcript[LEGAL REVIEW NEEDED]

We will update this page when sub-processors change. Formal change-notification timing under the DPA is [LEGAL REVIEW NEEDED — TBD].

Infrastructure & Hosting

Cloud Infrastructure

Ozer is hosted on Supabase, which runs on Amazon Web Services (AWS). AWS maintains ISO 27001, SOC 1, SOC 2, and SOC 3 certifications. Supabase itself holds SOC 2 Type II certification.

Physical Access Control

Ozer has no physical servers. All infrastructure is managed by Supabase/AWS, which operate enterprise-grade data centres with strict physical access controls.

Access Control

Access to Ozer's production database and infrastructure is restricted to authorised team members only. All access requires strong authentication. Database administration access is audited.

Row-Level Security

All data tables in Ozer enforce Row-Level Security (RLS) policies at the database level. This means every query is scoped to the authenticated user's workspace — it is architecturally impossible for one customer's data to be accessed by another.

Penetration Testing

We plan to conduct annual third-party penetration testing as we approach general availability. Customers with specific security assessment requirements should contact us at security@ozer.so.

Data Flow

Data in Transit

All data sent to and from Ozer is encrypted in transit using HTTPS with TLS 1.2 or above. All Ozer services reject connections using older TLS versions or insecure cipher suites.

Data at Rest

All data stored in Ozer is encrypted at rest using AES-256 encryption, managed by Supabase/AWS.

Data Residency

Ozer data is currently stored in the AWS EU West (Ireland) region. We do not transfer customer data outside of the EU/EEA without appropriate safeguards.

Backups

Supabase maintains automated daily database backups with point-in-time recovery. Backups are stored in encrypted form across multiple availability zones.

Application Security

Authentication

Ozer uses Supabase Auth for user authentication. Passwords are never stored in plain text. We support:

  • Email + password (with secure hashing via bcrypt)
  • Magic link / OTP login
  • Google OAuth (planned)
  • SAML/SSO (on roadmap for agency plans)

API Security

All Ozer API routes are authenticated. API keys are scoped and revocable. Rate limiting is applied to all public-facing endpoints.

Secure Development

All code changes to Ozer go through version control on GitHub, peer review, and automated testing before deployment. We follow OWASP secure development guidelines.

Dependency Management

We regularly audit our dependencies for known vulnerabilities using automated tooling. Critical vulnerabilities are patched on a priority basis.

Business Continuity

High Availability

Ozer is deployed on infrastructure designed for high availability. Supabase/AWS provides automatic failover across multiple availability zones.

Disaster Recovery

We maintain documented procedures for disaster recovery. In the event of a significant incident, we can restore service from automated backups.

Incident Response

Ozer has a documented Security Incident Response process. In the event of a security incident affecting customer data confidentiality, we will notify affected customers without undue delay and in compliance with our GDPR obligations (within 72 hours of becoming aware).

Status Page

Our live status page is available at status.ozer.so.

Vulnerability Disclosure

Reporting a Vulnerability

We take security disclosures seriously. If you discover a vulnerability in Ozer, please report it to us at security@ozer.so.

We ask that you:

  • Do not publicly disclose the vulnerability before we've had a chance to investigate and fix it
  • Provide enough detail for us to reproduce the issue
  • Act in good faith and avoid accessing or modifying other users' data

We will acknowledge your report within 2 business days, and will keep you updated as we investigate and resolve the issue.

Contact

For any security or privacy questions, contact us at security@ozer.so.

For DPA requests or GDPR queries, contact privacy@ozer.so.