Security at Overpay Owl

Infrastructure

• Hosted on Vercel (US-East) with primary database on Supabase (US-West Postgres).
• Static + edge functions on Vercel's global edge network.
• File uploads sit in private S3 buckets with bucket policies that deny public access.
• Daily encrypted backups, 30-day retention, monthly restore drill.

Authentication

• Passwords hashed with bcrypt (cost 12). We never see your plain-text password.
• 2FA via TOTP (Google Authenticator, 1Password, etc.). Backup codes provided at enrollment.
• Sessions are HTTP-only, signed cookies. They never touch JavaScript.
• Brute-force protection: 5 attempts / 15 min / IP, then a lockout.
• Cloudflare Turnstile on signup blocks automated account creation.

Authorization

• Every database table uses Postgres row-level security keyed to auth.uid().
• Admin endpoints require both an admin account_type and a separate hashed admin code.
• Business viewers see only the company they were invited to. They can't escalate.

AI & your data

We use Anthropic Claude to extract fields from your uploaded bills and to draft dispute letters. Anthropic does not retain inputs sent through their API for training. We never opt your data into third-party model training without explicit per-user consent.

Vulnerability disclosure

Found something? Email security@overpayowl.comwith your PoC. We respond within 48 hours and credit reporters in our changelog. Please don't test on accounts that aren't yours.

Sub-processors

Vercel (hosting), Supabase (database + auth), AWS S3 (file storage), Anthropic (AI), Resend (transactional email), Cloudflare (CAPTCHA). DPAs available on request.