Security by default — not as an add-on.
We treat your customer and invoice data as if it were our own. That is the foundation for trusting OffertEase with real work.
Encryption
TLS 1.3 everywhere. Data at rest is encrypted with AES-256. Passwords are hashed with bcrypt in Supabase Auth.
EU hosting
All data is stored in Supabase Stockholm (eu-north-1) and never crosses into third countries.
Row-Level Security
Postgres RLS isolates each user’s data at the database level. No freelancer can see another’s.
Backups & updates
Automatic backups around the clock. Security updates are rolled out within 24 hours.
Infrastructure
- Supabase (EU, Stockholm) — authentication, Postgres, storage. SOC 2 Type II, HIPAA and GDPR compliant.
- Vercel — application hosting with automatic HTTPS, DDoS protection and edge firewall.
- Stripe — payments. PCI-DSS Level 1 certified. We never store card data.
- Upstash Redis — rate limiting on public endpoints (10 req/min per IP).
- Sentry — error tracking and monitoring without logging customer data.
Secure development practices
- Dependency scanning on every pull request (Dependabot).
- Type-safe code from top to bottom (TypeScript strict).
- Server-side validation on all write operations — we never trust the client alone.
- Cron jobs are authenticated with CRON_SECRET — not open endpoints.
- Public links (customer approval) use UUID tokens that cannot be guessed.
Responsible disclosure
Found a vulnerability? We appreciate it if you report it directly to security@offertease.com. We respond within 48 hours and are happy to credit you in our Hall of Thanks.
We ask you to:
- Avoid accessing data that is not your own.
- Do not run DoS tests or large-scale scans against production.
- Give us reasonable time to fix the issue before public disclosure.
Questions about security
Building something bigger or need a signed DPA? Email security@offertease.com and we will sort it out.