Trust Center
Transparency on security, privacy, and reliability at oxom.
Status & Highlights
Controls & Measures
Access to protected areas runs through Clerk authentication.
Access is segmented through roles such as Admin, Editor, and Member.
Permissions stay as narrow as possible relative to workspace and task context.
Changes are reviewed before they are published.
Dependencies are monitored and updated continuously.
Additional guardrails for abuse-prone endpoints are planned.
Platform connections are designed around HTTPS/TLS.
Backup capabilities are primarily provided by our infrastructure vendors.
Expanded security audit logs for more transparency are planned.
Data access is constrained through workspace scoping and Supabase RLS policies.
Platform, subdomain, and custom-domain routing follows a tenant resolution model.
Security Advisories
OXOM-2026-001
An internal database function for decrypting stored API credentials was accessible without authentication via the REST API. Access has been restricted to server-side service role only. No evidence of unauthorized access was found.
Sub-processors
| Vendor | Purpose | Location | Link |
|---|---|---|---|
| Vercel | Hosting and edge delivery | EU/US (provider dependent) | vercel.com |
| Supabase | Postgres database and platform services | EU/US (provider dependent) | supabase.com |
| Clerk | Authentication and session management | EU/US (provider dependent) | clerk.com |
| Anthropic | AI features | Varies | www.anthropic.com/ |
| OpenAI | AI features | Varies | openai.com |
| Dub | Link infrastructure | Varies | dub.co |
| Liveblocks | Collaboration | EU/US (provider dependent) | liveblocks.io |
| Cloudflare | Object storage (R2) | EU/US (provider dependent) | www.cloudflare.com/ |
| Stripe | Payments and billing | EU/US (provider dependent) | stripe.com |
| DeepL | Translation and language processing | EU/US (provider dependent) | www.deepl.com/en |
| ElevenLabs | Text to speech | Varies | elevenlabs.io |
| Upstash | Redis-based rate limiting | EU/US (provider dependent) | upstash.com |
| Discord | Community and announcement integrations | Varies | discord.com |
| Twitch | Command and bot integrations | Varies | www.twitch.tv/ |
| Linear | Issue tracking and internal ticketing | Varies | linear.app |
| Buffer | Social scheduling and publishing | Varies | buffer.com |
Vulnerability Disclosure
Please include the affected URL, reproduction steps, and expected impact.
No disruption to production systems and only the minimum necessary data access.
Response Goals
- Initial acknowledgment within 72 hours.
- Critical: target first mitigation within 72 hours.
- High: target remediation within 7 days.
- Medium: target remediation within 30 days.
- Low: target remediation within 90 days.
Safe Harbor: good-faith, responsible reports are supported, provided testing is legal, non-destructive, and kept to a limited scope.
FAQs
Where is my data stored?
Data sits with selected infrastructure providers. Where sensible and available, we prefer EU-near deployments.
How do you separate workspaces?
Workspace data is isolated at the application layer and through Supabase Row-Level Security (RLS).
Does oxom support custom domains?
Yes. Subdomains and custom domains are part of the platform's domain mapping model.
How can I report a security issue?
Please email security@oxom.de and include the affected URL, reproduction steps, and possible impact.
Do you run a bug bounty program?
A public bug bounty program is not currently announced. Coordinated disclosure is available via the security contact.
Do you support SSO?
A public SSO status is not separately documented yet. Please contact support for the current state.
How do you handle AI data?
AI features may use external model providers. We aim to send only the necessary data and minimize scope.
How quickly do you respond to security reports?
The target is an initial acknowledgment within 72 hours and prioritized remediation by severity.
Last updated: February 22, 2026