Skip to main content

Security

Your data is safe with us

Security is foundational to everything we build. Here is how we protect your data, our infrastructure, and your trust.

SOC 2 (in progress)

GDPR

TLS in transit

Need our security documentation or DPA?

Contact our security team

Encryption in transit and at the application layer

All traffic is encrypted in transit using TLS. Passwords are hashed with bcrypt and API keys are stored as hashes, never in plaintext. Sensitive credential fields - monitor authentication headers, integration secrets, and similar values - are encrypted at the application layer before they reach the database.

Infrastructure security

Our infrastructure runs on cloud providers that hold SOC 2 and ISO 27001 attestations. Services run as isolated containers with segmented responsibilities, so the web application, workers, and databases are separated from each other. All infrastructure changes go through code review.

SOC 2 (in progress)

OnChange is actively working toward a SOC 2 Type II attestation. We'll publish the report and make it available under NDA once the audit window closes. In the meantime, our security controls follow the SOC 2 control framework; we're happy to walk prospective Enterprise customers through them.

GDPR compliance

We comply with the General Data Protection Regulation. Data processing agreements are available for all customers. We support data export and deletion requests. Our EU customers' data can be processed in EU regions upon request.

Access control

We enforce the principle of least privilege: access to production systems is limited to the people who operate them and to what each role requires. Access is revoked upon role change or departure.

Monitoring and incident response

We collect logs and error telemetry from our systems and investigate anomalies as they surface. When a security incident occurs, we remediate it, review what happened, and disclose promptly and transparently.

Secure development

Code changes go through review before deployment, and we use static analysis and dependency vulnerability scanning to catch issues early. Security-sensitive areas such as authentication, payments, and webhook verification receive extra scrutiny.

Responsible disclosure

If you discover a security vulnerability in OnChange, we appreciate responsible disclosure. Please email contact@onchange.app with details. We will acknowledge receipt within 24 hours and work with you to understand and resolve the issue. We do not pursue legal action against security researchers acting in good faith.

Contact security team

contact@onchange.app