Security and data protection are foundational to Ozer. We're committed to keeping your client data, business information, and team communications safe — and being transparent about how we do it.
Last updated: July 2026
Ozer is designed to comply with the UK GDPR and EU GDPR. We act as a Data Processor for the data you store in Ozer, and as a Data Controller for the account and usage data we collect directly. We do not sell your data to third parties under any circumstances.
Ozer is operated by Oodle Design Ltd, a UK registered company. We are registered with the UK Information Commissioner's Office (ICO) as a data controller.
Our standalone Data Processing Agreement (UK GDPR Article 28) is available at /dpa and as a downloadable file at /legal/ozer-dpa.md. Questions: privacy@ozer.so.
We are working toward SOC 2 Type II certification. Our infrastructure provider (Supabase/AWS) already holds SOC 2 Type II certification — details available at supabase.com/security.
Ozer engages the following sub-processors to deliver the service. This register matches our Privacy Policy and DPA. Integrations that are not yet shipped are excluded.
| Name | Purpose | Data (high level) | Location note |
|---|---|---|---|
| Supabase / AWS | Database, auth, storage | Workspace and account data | EU West (Ireland) |
| Stripe | SaaS billing and Connect | Customer IDs, subscription status; card PAN stays with Stripe | [LEGAL REVIEW NEEDED] |
| Anthropic | LLM features | Workspace / email / transcript text prompts | [LEGAL REVIEW NEEDED] |
| Gmail, Calendar, Workspace; Gemini if enabled | Mailbox, calendar, directory; AI prompts if wired | [LEGAL REVIEW NEEDED] | |
| Microsoft Graph | Signatures directory and mailbox settings | Staff profile, photo, mailbox settings | [LEGAL REVIEW NEEDED] |
| ZeptoMail | Transactional email | Recipient, subject, HTML body | EU API endpoint used in product |
| Bunny.net | Video hosting (Stream) | Media files and video metadata | [LEGAL REVIEW NEEDED] |
| Voyage AI | Embeddings (Second Brain) when keyed | Chunk / query text | [LEGAL REVIEW NEEDED] |
| Soniox | Cloud realtime STT (web path) | Audio stream / transcript | [LEGAL REVIEW NEEDED] |
We will update this page when sub-processors change. Formal change-notification timing under the DPA is [LEGAL REVIEW NEEDED — TBD].
Ozer is hosted on Supabase, which runs on Amazon Web Services (AWS). AWS maintains ISO 27001, SOC 1, SOC 2, and SOC 3 certifications. Supabase itself holds SOC 2 Type II certification.
Ozer has no physical servers. All infrastructure is managed by Supabase/AWS, which operate enterprise-grade data centres with strict physical access controls.
Access to Ozer's production database and infrastructure is restricted to authorised team members only. All access requires strong authentication. Database administration access is audited.
All data tables in Ozer enforce Row-Level Security (RLS) policies at the database level. This means every query is scoped to the authenticated user's workspace — it is architecturally impossible for one customer's data to be accessed by another.
We plan to conduct annual third-party penetration testing as we approach general availability. Customers with specific security assessment requirements should contact us at security@ozer.so.
All data sent to and from Ozer is encrypted in transit using HTTPS with TLS 1.2 or above. All Ozer services reject connections using older TLS versions or insecure cipher suites.
All data stored in Ozer is encrypted at rest using AES-256 encryption, managed by Supabase/AWS.
Ozer data is currently stored in the AWS EU West (Ireland) region. We do not transfer customer data outside of the EU/EEA without appropriate safeguards.
Supabase maintains automated daily database backups with point-in-time recovery. Backups are stored in encrypted form across multiple availability zones.
Ozer uses Supabase Auth for user authentication. Passwords are never stored in plain text. We support:
All Ozer API routes are authenticated. API keys are scoped and revocable. Rate limiting is applied to all public-facing endpoints.
All code changes to Ozer go through version control on GitHub, peer review, and automated testing before deployment. We follow OWASP secure development guidelines.
We regularly audit our dependencies for known vulnerabilities using automated tooling. Critical vulnerabilities are patched on a priority basis.
Ozer is deployed on infrastructure designed for high availability. Supabase/AWS provides automatic failover across multiple availability zones.
We maintain documented procedures for disaster recovery. In the event of a significant incident, we can restore service from automated backups.
Ozer has a documented Security Incident Response process. In the event of a security incident affecting customer data confidentiality, we will notify affected customers without undue delay and in compliance with our GDPR obligations (within 72 hours of becoming aware).
Our live status page is available at status.ozer.so.
We take security disclosures seriously. If you discover a vulnerability in Ozer, please report it to us at security@ozer.so.
We ask that you:
We will acknowledge your report within 2 business days, and will keep you updated as we investigate and resolve the issue.
For any security or privacy questions, contact us at security@ozer.so.
For DPA requests or GDPR queries, contact privacy@ozer.so.