Last updated: July 8, 2026
Security
How Optonum protects accounts, factory data, and AI automation — subprocessors, encryption, and human approval gates.
Our approach
Optonum is designed for manufacturing data that may include production volumes, costs, supplier information, and workforce records. Security is implemented in layers: identity, authorization, encryption, tenant isolation, auditability, and human-in-the-loop controls for autonomous AI.
We are pre-SOC 2. Enterprise customers may request a security questionnaire and our subprocessors list.
Authentication & access control
Access controls include:
- Supabase Auth for sign-up, login, session management, and OAuth providers (Google) as configured.
- Organization- and project-scoped roles with server-side authorization on API routes and dashboard layouts.
- Protected routes enforced in middleware; unauthenticated users are redirected to login.
- Secrets (database URLs, LLM API keys, Stripe keys) stored in server environment variables — never exposed to client bundles.
- Autonomous AI agents cannot mutate production data without an explicit human approval step (Change Request workflow).
Data protection
Technical measures:
- HTTPS/TLS for all browser, API, and webhook traffic.
- PostgreSQL hosted on Supabase with provider-level encryption at rest.
- Multi-tenant data isolation at the application layer — queries scoped by organization and project membership.
- Discrete-event simulation runs in-browser (Rust WASM) for many workloads, reducing raw factory topology sent to compute servers.
- Immutable audit log entries for compliance-sensitive mutations (21 CFR Part 11 workflows on Enterprise).
AI & automation security
LLM providers (Google Gemini, optional OpenAI) receive only the context required for a specific assistant message or agent run — summarized factory metrics, not full database exports.
Agent outputs are stored as Change Requests with audit metadata (AgentRun records, timestamps, input snapshots) before any apply action.
Free-tier AI assistant usage is rate-limited per organization to prevent abuse and control inference cost.
Autonomous agent cron jobs and manual runs are restricted to Pro and Enterprise plans.
Configure zero-data-retention or enterprise API terms with your LLM provider for production deployments handling sensitive IP.
Subprocessors
We rely on audited infrastructure and SaaS providers. Current subprocessors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Authentication, PostgreSQL database, file storage | United States / EU (region-dependent) |
| Vercel, Inc. | Application hosting, serverless API routes, cron jobs | Global edge network |
| Google LLC (Google Cloud / Gemini API) | LLM inference for autonomous agents and optional AI features | Global (Google Cloud regions) |
| OpenAI, LLC | AI assistant chat (when OPENAI_API_KEY is configured) | United States |
| Stripe, Inc. | Subscription billing and payment processing | United States / EU |
| Resend, Inc. | Transactional email (agent briefings, invites) | United States |
Operational security
Practices we follow:
- Dependency updates and vulnerability monitoring via npm audit in CI.
- Production deployments on Vercel with environment-scoped secrets.
- Database migrations via Prisma; production schema changes are reviewed before apply.
- Cron endpoints protected by CRON_SECRET bearer token.
Incident response & reporting
Report security vulnerabilities or suspected incidents to hello@optonum.com with subject line "Security Report". We acknowledge validated reports within 3 business days and investigate promptly.
For incidents affecting customer personal data, we will notify affected customers and regulators as required by applicable law (including KVKK and GDPR where relevant).
We do not support unsolicited penetration testing against production without prior written authorization.
Questions? hello@optonum.com · Back to Optonum