Skip to main content
OllieSafe
Trust

Security & Trust

OllieSafe is built for OSHA-regulated employers. This page consolidates how we protect customer data, where it lives, who else processes it, and how to reach our security team.

How we protect your data

Enterprise-grade security, every plan.

Infrastructure security

Hosted on Google Cloud Platform with VPC-native networking, Cloud Armor WAF, and automated patching. All data stored in US-based regions.

Encryption everywhere

256-bit AES encryption at rest for all data. TLS 1.3 in transit. Database connections are SSL-enforced with certificate verification.

Tenant isolation

PostgreSQL row-level security (RLS) enforces strict tenant boundaries at the database layer. No application-level workarounds — isolation is guaranteed by the engine.

Access controls

Role-based access with owner, admin, manager, and member tiers. Firebase Authentication handles identity with MFA support. Session tokens rotate automatically.

Audit trail

Every data mutation is logged with actor, timestamp, and before/after state. Audit logs are designed for controlled retention and review in regulated workflows.

Compliance & certifications

SOC 2 Type II audit in progress with a target of Q3 2026; ISO 27001 evaluation targeted for 2027. Privacy controls are designed to support regulated employer workflows. See /security for the full certifications roadmap and DPA / BAA posture.

Trust & controls

Built for audit-ready safety operations.

The platform is designed to support regulated workflows, secure data isolation, and enterprise review without forcing teams back into binders, screenshots, and spreadsheet handoffs.

TLS 1.3
Encryption in transit
256-bit AES
Encryption at rest
Row-level security
Tenant isolation
MFA + RBAC
Identity controls
Hash-chained audit log
Tamper-evident history
SOC 2 in progress
Type II target Q3 2026
GDPR-aligned DPA
Available on request

Data residency

All customer production data is stored in Google Cloud Platform's us-west1 region. Backups, replicas, and logs remain inside the same region. OllieSafe does not replicate customer data outside the United States today; if your procurement requires EU, UK, Canada, or APAC residency, contact us at [email protected] so we can scope the requirement against our regional roadmap.

Sub-processors

OllieSafe contracts with a small set of sub-processors to deliver the service (cloud infrastructure, identity, billing, communications). The full public list with categories of Personal Data Processed, processing location, and 30-day change-notification commitment is published at /legal/subprocessors.

Data Processing Addendum (DPA)

A baseline DPA template referencing the EU Standard Contractual Clauses (Module 2: controller-to-processor), the UK International Data Transfer Addendum, and CCPA Service-Provider terms is published at /legal/dpa. To request an executable copy or submit redlines, email [email protected].

Business Associate Agreement (BAA)

OllieSafe is not a HIPAA covered entity or Business Associate today. Customers with protected health information (PHI) exposure should treat OllieSafe as outside the BAA boundary and should not upload PHI into the platform. If your safety program intersects with PHI handling, contact us so we can scope an appropriate path forward.

Vulnerability disclosure

We welcome reports from security researchers. Send findings to [email protected]. Our machine-readable contact is published at /.well-known/security.txt per RFC 9116.

We follow a 90-day coordinated disclosure window from initial triage to public acknowledgement. We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, or service interruption.
  • Give us a reasonable opportunity to remediate before public disclosure.
  • Do not exploit findings beyond what is necessary to confirm them.
  • Refrain from social engineering, physical attacks, and denial-of-service testing against production.

Status page

A public status page at status.olliesafe.com is provisioning alongside this trust surface. Until it goes live, subscribe to incident notifications by emailing [email protected].

Certifications roadmap

OllieSafe does not hold a third-party security attestation today. Active engagements:

  • SOC 2 Type II — audit in progress; attestation target Q3 2026. Type 1 issuance precedes Type 2 by the evidence-period boundary; both will be available under NDA on request once issued.
  • ISO 27001:2022 — evaluation begins after SOC 2 Type II issuance; certification target 2027.
  • HIPAA / BAA — not in scope today (see "Business Associate Agreement" above).
  • FedRAMP / StateRAMP — tracked as a follow-on after ISO 27001; no committed date.

Buyers in active procurement can request a roadmap call or be notified when SOC 2 Type 1 issues by emailing [email protected]. The marketing claims on this page reflect what currently ships, not aspirational posture.

Contact

Security and trust inquiries: [email protected]. Privacy and data-subject requests: [email protected]. Legal and contract: [email protected].

Claim launch offer