Trust & Safety
Security
How we protect your data and how to report a vulnerability.
Encryption
All data encrypted in transit (TLS 1.2+) and at rest (AES-256). API credentials and OAuth tokens are stored encrypted at the application layer in addition to database-level encryption.
Authentication
JWT bearer tokens with short expiry. HMAC-signed OAuth state parameters prevent CSRF attacks on all OAuth flows. Session tokens invalidated on logout.
Tenant Isolation
Every database query is scoped to the authenticated tenant. Multi-tenant isolation is enforced at the query layer — no shared-row or row-level-security bypass is possible.
Access Control
Role-based access control with principle of least privilege. OCS staff have no standing access to tenant data. All privileged operations require MFA and are audit-logged.
Security Practices
- All API credentials, OAuth tokens, and secrets are stored encrypted at the application layer using envelope encryption.
- Outbound webhook payloads are signed with HMAC-SHA256. Incoming webhooks are verified before processing.
- Database access uses parameterised queries exclusively — no string interpolation. SQL injection is structurally prevented.
- XSS is mitigated by using React's DOM API throughout; no raw HTML injection. Content Security Policy headers are applied.
- Structured audit logs capture all significant actions (logins, data exports, configuration changes, AI workflow outcomes).
- Dependencies are monitored for known vulnerabilities. Security patches are applied within 72 hours of a critical advisory.
- Penetration testing is conducted on a regular basis by independent third parties.
- Production infrastructure is isolated from development and staging environments.
- Database backups are encrypted, tested for restorability, and retained for 30 days.
Google OAuth Security
OmniReach implements Google OAuth following Google's security requirements:
- OAuth state parameters are HMAC-signed and verified on callback to prevent CSRF attacks.
- OAuth tokens are stored encrypted and scoped to the individual Tenant — never shared between Tenants.
- We request only the minimum OAuth scopes required for the features you enable.
- Tokens are invalidated and deleted immediately upon disconnection.
- Users can revoke access at any time via myaccount.google.com/permissions.
Incident Response
In the event of a confirmed security incident, OCS will:
- Contain and remediate the incident as quickly as possible.
- Notify affected Tenants within 72 hours of confirmation where required by applicable law.
- Provide a post-incident report describing root cause, impact, and remediation steps.
- Cooperate with regulatory authorities as required.
Vulnerability Disclosure
If you have discovered a potential security vulnerability in OmniReach, please report it responsibly. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate.
Report security vulnerabilities to: security@omnicybersolutions.com
Please include in your report:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce or proof-of-concept (if available)
- The URL, endpoint, or component affected
- Your contact details for follow-up
We will acknowledge your report within 2 business days and aim to provide an initial assessment within 5 business days. We will keep you informed of our progress and notify you when the vulnerability has been remediated. We appreciate responsible security research and will credit researchers where they consent to public acknowledgement.
Scope: We accept reports for vulnerabilities in omnireach.omnicybersolution.com and its subdomains. Out of scope: social engineering attacks, physical security, denial-of-service attacks, and vulnerabilities in third-party services.