Trust posture
Where we are today, in plain language. No badges we haven't earned.
SOC 2 Type II
In progressAudit underway with target completion Q4 2026. Type I controls in place.
Status page
LiveReal-time uptime and incident history at /status.
Data Processing Agreement
AvailableStandard DPA on request to legal@onetimelogin.com.
Sub-processors
PublishedFull list with regions and purpose below.
Data flow
Every request your users make traverses these layers. Encryption boundaries are marked.
Violet boundary: TLS 1.3 from the browser through Nginx termination. Green boundary: AES-256 at rest, applied at PostgreSQL and at the filesystem layer for Redis on the VPS. Internal hops between Nginx and Uvicorn ride the loopback interface only and are not exposed to the network.
Encryption
-
In transit: TLS 1.3 only. Older protocols and weak ciphers are disabled at the edge and at Nginx. HSTS is enforced.
-
At rest: AES-256. PostgreSQL data uses native encryption; the VPS volume that holds Redis snapshots is filesystem-encrypted.
-
Tokens: access tokens live in
sessionStorageonly — neverlocalStorage. They expire on tab close and on idle timeout. -
JWTs: signed with RS256 using a private key held in AWS Secrets Manager and rotated on schedule. Public keys are exposed at a JWKS endpoint for partner verification.
-
Passwords: bcrypt with 12 rounds. We never store, log, or transmit plain-text passwords.
Authentication & session
Server-side revocation
Every JWT carries a session_version stamp. Bumping the user's stored version invalidates every issued token instantly — no waiting for expiry.
Multi-factor authentication
TOTP-based MFA available for all owner accounts and exposable to end users in your network. Step-up MFA on admin actions.
Idle & absolute timeouts
Idle timeout configurable; absolute lifetime caps every session regardless of activity. Sessions are invalidated on password change.
Degraded-mode header
When Redis is unreachable, responses include X-Auth-Degraded: 1 so partner sites can fail closed on sensitive flows.
Data handling & retention
Owner data: deleted within 30 days of a written deletion request to legal@onetimelogin.com. Backups containing owner data roll off within their stated retention window.
End-user data: end users register against a website in our network. The registering website is the data controller; OneTimeLogin acts as a processor under our DPA. We do not sell, rent, or repurpose end-user identity data.
Audit logs: retained for at least 12 months for security investigation. Access to logs is restricted by RBAC and recorded in itself.
Sub-processors
We notify customers in advance of material changes to this list.
Last updated:
Incident response
Notification SLA on confirmed breaches affecting customer data.
Severity-tiered response with documented runbooks and on-call rotation.
Direct email to the owner contact on file and a public update on /status.
Post-incident, we publish a written summary covering scope, root cause, remediation, and follow-up. Affected customers receive the report directly before public disclosure.
Compliance roadmap
SOC 2 Type II
Type I controls in place. Type II observation window in progress.
GDPR
DPA, sub-processor list, and SCCs available for EU/UK transfers.
CCPA
Consumer-rights request workflow available on request.
HIPAA
Not in scope today. We do not sign BAAs and do not recommend OneTimeLogin for PHI workloads.
Vulnerability disclosure
Found something? Email security@onetimelogin.com with reproduction steps, affected endpoints, and your preferred attribution. We acknowledge within two business days.
We follow a coordinated disclosure window of 90 days from acknowledgment, extendable by mutual agreement when a fix is non-trivial. We do not pursue good-faith researchers acting within scope.
A public researcher acknowledgments page is being prepared and will live at /security/acknowledgments.
Have a security question?
We answer real questions from real evaluators. No gatekeeping, no NDA wall.