owelet.
← Back
Trust

Security

You're connecting your revenue sources to Owelet. Here's exactly how we handle that — no vague reassurances.

We only read. Never write.

Every platform connection uses OAuth with read-only scopes. Owelet can fetch your transaction history — that's it. We cannot move money, issue refunds, change your pricing, or modify anything in your account. If a platform doesn't offer read-only scopes, we request the minimum required and document exactly what we ask for.

Your tokens are encrypted at rest

When you connect a platform, we receive an OAuth access token. Before it ever touches our database, it is encrypted using AES-256-GCM — the same standard used by banks and governments. Each token gets its own unique initialization vector (IV), meaning even if two tokens had the same value, their encrypted form would be completely different. We never store tokens in plaintext.

Your data is isolated from other users

Owelet uses Row Level Security (RLS) on every database table. This means even at the database layer, a query for your data cannot return another user's data — it's enforced by the database itself, not just application code. There is no way for a bug in our API to accidentally expose your transactions to someone else.

Webhooks are verified before processing

When platforms send us transaction events in real time, we verify every webhook signature before processing it. Stripe uses HMAC-SHA256 signing. Other platforms use their own signing schemes. Any webhook that fails signature verification is rejected immediately — we never process unverified payloads.

We never see your password

Owelet uses Supabase Auth for authentication. Passwords are hashed and salted using bcrypt before storage — we have no way to read them even if we wanted to. We never store or log credentials in plaintext anywhere in the system.

Infrastructure

Owelet runs on Vercel (edge network, automatic HTTPS, DDoS protection) with data stored in Supabase (PostgreSQL on AWS). All traffic is encrypted in transit via TLS. We do not operate our own servers.

Revoking access

You can disconnect any platform at any time from your Connections page. When you disconnect, the stored token is immediately wiped from our database — not just flagged as inactive, actually overwritten. You can also revoke access directly from the platform's own OAuth settings if you prefer.

If you delete your account, all your data — transactions, tokens, profile — is deleted within 30 days.

Contact

Security concern or question? Email hello@owelet.app. We respond to every message.