Introducing the Ochre AI support workspace. Start a 14-day trial

Security at Ochre

Plain-English tour of how Ochre protects your data: encryption, RLS isolation, webhook verification, and what we will share on request.

By ChristopherUpdated 3 min read

Ochre stores your support conversations, customer profiles, and AI artifacts. That is sensitive data, and we treat it that way. This page is the short version of how we protect it. Specific topics have their own articles, linked throughout.

What we protect

Three buckets cover most of it.

  1. Conversation content. Inbound emails, chat messages, attachments, internal notes, mentions, and AI drafts.
  2. Customer data. Profiles, custom fields, Stripe context, HubSpot context, conversation history.
  3. Configuration and credentials. Integration tokens, BYOK API keys, webhook secrets, routing rules.

Each bucket has its own controls. BYOK keys, OAuth tokens, and other secrets are encrypted at rest with a dedicated OCHRE_BYOK_ENC_KEY (separate from the Postgres service role key), so even a database snapshot does not leak them.

Where the data lives

Ochre runs on Postgres hosted by Supabase, on AWS in us-east-2 (Ohio). Application servers run on Vercel. Encryption at rest is AES-256, handled by Supabase and AWS at the volume layer. Encryption in transit is TLS 1.3. The full story is in Where Ochre stores your data.

EU residency is on the roadmap, not shipped. We will say so plainly rather than promise a date.

How workspaces stay isolated

Ochre is multi-tenant. Every workspace is an org, and every row in every public table carries an org_id. Postgres row-level security (RLS) enforces that you can only ever see rows in your own org, regardless of bugs in application code.

Service-role code on the server is the only thing that can bypass RLS, and it always runs behind explicit auth gates that re-check the caller's org. Read the deep dive in How workspace isolation works.

Who can do what

Ochre has four roles: owner, admin, agent, and light agent. Owners and admins can change billing, integrations, and danger-zone settings. Agents handle conversations. Light agents read-only. The full matrix is in Roles explained.

Webhook verification

Inbound webhooks from Resend, Slack, HubSpot, Linear, GitHub, and Stripe are signature-verified before we trust the payload. We use HMAC-SHA256 with crypto.timingSafeEqual. Replay protection is enforced with a timestamp window for Resend, Slack, HubSpot, and Linear, and with delivery-id dedupe for GitHub. Stripe uses its official SDK verifier. See How Ochre verifies inbound webhooks.

Survey response tokens are signed with HMAC using a dedicated OCHRE_SURVEY_TOKEN_SECRET, separate from the service role key.

What we have today

  • AES-256 encryption at rest (Supabase / AWS volume layer).
  • TLS 1.3 in transit on every public endpoint.
  • RLS policies isolating every tenant by org_id.
  • BYOK and OAuth tokens encrypted with OCHRE_BYOK_ENC_KEY. Customers can rotate BYOK keys by re-pasting in settings.
  • Webhook signature verification + replay protection on every inbound integration.
  • Survey HMAC token signing with a dedicated secret.
  • DPA available on request.
  • GDPR data export via concierge (email hello@ochrehq.com).
  • Production access controls for Ochre engineers (short-lived credentials, logged).

What we do not have today

We will be honest:

  • Not SOC 2 certified, no audit currently underway. SOC 2 is on the roadmap. See SOC 2 status.
  • No in-product audit log. We do not have an audit_log table or UI. If you need this for compliance, tell us during procurement and we will scope it.
  • No self-serve SSO / SCIM / IP allowlist. Available on request as a concierge for Scale customers — email hello@ochrehq.com.
  • No EU data residency. All workspaces live in us-east-2. EU is on the roadmap.
  • No one-button data export. Export is a concierge process via email — see GDPR and your data rights.

GDPR, export, and deletion

Your data is portable: email hello@ochrehq.com and we produce a JSON export. Workspace deletion has a 30-day grace period, then a hard delete. End-user (your customer's) erasure requests are handled via support. The full picture is in GDPR and your data rights.

Reporting a vulnerability

If you think you have found a security issue, email hello@ochrehq.com with SECURITY in the subject. We respond fast, we credit reporters when they want it, and we do not threaten researchers. We do not currently run a paid bug bounty.

Where to go next

Was this article helpful?

← Back to Ochre Help
Security at Ochre — overview · Ochre