Security & Data Protection

Your Data Security
Is Our Foundation

Overscope is built for professional services teams who handle sensitive contracts and commercial data. Security isn't an afterthought — it's embedded in every layer of our architecture.

Security Architecture

Built from the ground up with enterprise-grade security controls.

Encrypted Everywhere

All data is encrypted in transit with TLS. OAuth tokens are encrypted at rest with AES-256-GCM. Database connections enforce SSL in production. No exceptions.

Strict Tenant Isolation

Every database query is scoped to your organisation. Your data is never mixed with, visible to, or accessible by other tenants. Verified by automated tests.

Role-Based Access Control

Three-tier RBAC (Admin, Member, Viewer) enforced at the API layer. Sensitive actions like project deletion and account management require Admin privileges.

Audit Logging

Data access and mutations are recorded in an audit log with user ID, IP address, timestamp, and action. Audit logs are retained for 2 years and anonymised on account deletion per GDPR.

GDPR Compliance

Infrastructure hosted on Railway and Neon with all US transfers covered by IDTAs. Fully UK GDPR compliant by design.

Defence in Depth

Multi-layer rate limiting (global and per-endpoint), Content Security Policy, HSTS preload, and strict security headers on every response.

How We Handle Your Data

Transparency about what happens to your documents and project data.

Document Processing

  • Documents uploaded via presigned URLs to S3-compatible storage — they never pass through our application servers
  • File types restricted to PDF, DOCX, DOC, and TXT only
  • Documents are only accessible via authenticated, time-limited presigned URLs — no public bucket access
  • Documents namespaced per organisation — no cross-tenant access possible

AI & LLM Processing

  • We use OpenAI's API with zero data retention — your data is not used to train models
  • Only the minimum necessary text is sent for analysis (data minimisation)
  • AI outputs are always presented as suggestions — human review is required before any action
  • Emergency kill switch can halt all AI processing immediately if needed

Authentication

  • Authentication managed by Clerk, an enterprise-grade identity provider used by thousands of companies
  • Short-lived JWT tokens (1-hour expiry) with automatic refresh
  • Multi-factor authentication available for all users
  • SSO / SAML support planned for Enterprise plans (coming soon)

Database & Backups

  • PostgreSQL database with SSL-enforced connections in production
  • Integration OAuth tokens encrypted with AES-256-GCM before storage (random IV per encryption)
  • Payment data handled entirely by Stripe — we never see or store card numbers
  • No secrets in source code — all credentials loaded from environment variables

Security Practices

A detailed look at how we protect your data across the stack.

Network & Infrastructure

  • Multi-layer rate limiting: application-global (100 req/min) and per-endpoint limits
  • HTTPS enforced everywhere with HSTS preload (2-year max-age)
  • Content Security Policy, X-Frame-Options DENY, and Permissions-Policy headers
  • Database connections enforce SSL in production — plaintext connections rejected

Application Security

  • Runtime input validation on every API endpoint (Zod schema validation)
  • Parameterised database queries via ORM — no raw SQL, preventing injection
  • Structured error responses — no stack traces or internal details in production
  • Request ID propagation for full traceability across services
  • Webhook signature verification (HMAC/Svix) on all inbound webhooks

Development Practices

  • Automated security scanning in CI/CD (npm audit, pip-audit)
  • Multi-tenancy isolation verified by dedicated test suite
  • No secrets in source code — all credentials via environment variables
  • Production-specific configurations with no development backdoors
  • Dedicated security test suite covering auth, headers, rate limits, and input sanitisation

Incident Response

  • Documented incident response plan with severity classification
  • Error monitoring and alerting via Sentry (when DSN configured)
  • Structured audit logging for forensic investigation capability
  • Database backup and recovery procedures
  • Breach notification process compliant with UK GDPR (72-hour ICO notification)

Integration Permissions

We follow the principle of least privilege. Every integration requests only the minimum permissions required — and we're transparent about exactly what access we have.

Jira

Overscope connects to Jira in read-only mode. We read your issues, statuses, and project metadata to detect scope drift. We never create, modify, or delete issues in your Jira instance.

  • Read issues & work items
  • Read user profiles
  • Create or modify issues(not requested)
  • Delete anything(not requested)

Asana

Overscope reads your tasks, projects, and workspace structure. We register webhooks to receive real-time updates, but never create, edit, or delete tasks.

  • Read projects & tasks
  • Read users & workspaces
  • Register webhooks for updates
  • Create or modify tasks(not requested)

Monday.com

Overscope reads your boards and items. We register webhooks for real-time sync but never modify your board data.

  • Read boards & items
  • Read users & workspaces
  • Register webhooks for updates
  • Create or modify items(not requested)

Slack (Coming Soon)

Slack integration is on our roadmap. When available, Overscope will send scope-creep alerts to channels you choose — we will never read your message history.

  • Send alert messages to channels
  • List channels (for selection)
  • Read message history(not requested)
  • Manage channels or users(not requested)

Compliance & Privacy

We take our legal obligations as seriously as our technical security.

UK GDPR Compliant

Full compliance with the UK General Data Protection Regulation and Data Protection Act 2018. Lawful basis documented for all processing activities.

Read Privacy Policy

Data Processing Agreement

A comprehensive DPA covering sub-processors, international transfer safeguards, security measures, and breach notification procedures. Available to all customers.

Read DPA

Data Portability & Deletion

Export all your data at any time in standard JSON format. Full account deletion with transactional data removal and audit log anonymisation within 30 days.

Learn More

Sub-Processor Transparency

We maintain a clear list of sub-processors (Clerk, Stripe, OpenAI, cloud infrastructure providers) with their purposes, data processed, and DPA status.

View Sub-Processors

Questions About Security?

We're happy to answer security questionnaires, discuss our architecture, or provide additional documentation for your procurement process.

Contact Support TeamView DPA
Security — Overscope | Overscope