Security
Your data is safe with us
Security is foundational to everything we build. Here is how we protect your data, our infrastructure, and your trust.
SOC 2 (in progress)
GDPR
TLS in transit
Need our security documentation or DPA?
Contact our security teamEncryption in transit and at the application layer
All traffic is encrypted in transit using TLS. Passwords are hashed with bcrypt and API keys are stored as hashes, never in plaintext. Sensitive credential fields - monitor authentication headers, integration secrets, and similar values - are encrypted at the application layer before they reach the database.
Infrastructure security
Our infrastructure runs on cloud providers that hold SOC 2 and ISO 27001 attestations. Services run as isolated containers with segmented responsibilities, so the web application, workers, and databases are separated from each other. All infrastructure changes go through code review.
SOC 2 (in progress)
OnChange is actively working toward a SOC 2 Type II attestation. We'll publish the report and make it available under NDA once the audit window closes. In the meantime, our security controls follow the SOC 2 control framework; we're happy to walk prospective Enterprise customers through them.
GDPR compliance
We comply with the General Data Protection Regulation. Data processing agreements are available for all customers. We support data export and deletion requests. Our EU customers' data can be processed in EU regions upon request.
Access control
We enforce the principle of least privilege: access to production systems is limited to the people who operate them and to what each role requires. Access is revoked upon role change or departure.
Monitoring and incident response
We collect logs and error telemetry from our systems and investigate anomalies as they surface. When a security incident occurs, we remediate it, review what happened, and disclose promptly and transparently.
Secure development
Code changes go through review before deployment, and we use static analysis and dependency vulnerability scanning to catch issues early. Security-sensitive areas such as authentication, payments, and webhook verification receive extra scrutiny.
Responsible disclosure
If you discover a security vulnerability in OnChange, we appreciate responsible disclosure. Please email contact@onchange.app with details. We will acknowledge receipt within 24 hours and work with you to understand and resolve the issue. We do not pursue legal action against security researchers acting in good faith.
contact@onchange.app