Data protection

What we protect, and how.

Owly handles bills — which means account numbers, addresses, and sometimes income details. The agency takes that seriously. Here is the honest version of our security posture.

Encryption in transit and at rest.

All traffic uses TLS 1.2+. Stored data is encrypted at rest with AES-256. Sensitive identifiers (bill account numbers, last-four digits) are hashed before they hit the database.

TLS · AES-256

Auth that doesn’t cut corners.

Password hashing uses Argon2id with high memory cost. Two-factor authentication (TOTP) is available today and on-by-default for all accounts soon. Session tokens rotate on sensitive actions.

Argon2id · TOTP

Infrastructure on hardened platforms.

Hosted on Vercel and Supabase. Postgres row-level security gates every table. Storage buckets are private-by-default; only the case owner and Owly can read a given bill.

RLS · Private buckets

Data minimization.

We collect what the case needs. Bills can be deleted from the dashboard at any time. Account deletion is one-click and removes downstream data within 30 days.

Minimum collection

SOC 2 — in progress.

A SOC 2 Type II program is in flight; readiness assessment is complete and observation is starting this quarter. We’ll publish the report when it’s issued.

SOC 2 Type II

Responsible disclosure.

Found something concerning? Email security@overpayowl.com. We respond within two business days and won’t pursue good-faith research.

security@…
Our audit trail

Accountability you can verify.

Each milestone below is a public commitment. We update this trail when something ships, not when it's planned.

  1. Q1 2025
    Verified

    Initial security review

    Internal review against OWASP ASVS Level 1. Documented data flows, threat surfaces, and a remediation backlog.

  2. Q3 2025
    Verified

    First independent audit

    External penetration test focused on authentication, billing, and storage. Findings closed before publication.

  3. Q4 2025
    Verified

    GDPR compliance certification

    Data minimization, right-to-erasure, and DPA published. EU-region storage and export tooling shipped.

  4. Q1 2026
    In progress

    SOC 2 Type II — observation begins

    Readiness assessment complete. Observation window opened this quarter with a third-party CPA firm.

What we protect

Five surfaces, one shield.

Everything an Owly investigation touches is encrypted, scoped to the case owner, and removable on request.

Your bills
Your personal info
Your refund history
Your communications
Your access keys
Privacy details

For the data-side of the contract, see Privacy.

The privacy policy covers what we collect, how we use it, and your rights. This page covers how we protect it.

SOC 2 — in progress