Security
Last updated July 13, 2026
Onyx Labs builds IT tooling that holds sensitive operational data — your people, your equipment, and credentials for the systems you connect. This page describes, plainly and without marketing language, the controls that are actually implemented in the product today.
Tenant isolation
Every customer workspace is logically isolated. Beyond scoping queries in application code, we enforce isolation at the database layer with PostgreSQL row-level security: application queries run as a restricted database role under a per-request organization context, so one workspace’s rows are not reachable from another’s session even in the event of an application-layer bug. Tenant isolation is covered by automated tests that run in our CI pipeline.
Encryption
- In transit — all traffic is served over HTTPS/TLS.
- At rest — our database provider encrypts data at rest.
- Third-party credentials — secrets you provide for integrations (MDM API tokens, client secrets, and similar) are encrypted at the application layer with AES-256-GCM before they are stored, using a key held outside the database.
- Passwords — stored only as bcrypt hashes. We never store passwords in plaintext and cannot recover them.
- API & SCIM tokens — stored as SHA-256 hashes. The full token value is shown once at creation and cannot be retrieved afterward.
Authentication & access control
- Multi-factor authentication — TOTP authenticator apps and WebAuthn security keys / passkeys are supported, and administrators can require MFA for everyone in the workspace.
- Single sign-on — per-organization OIDC SSO is available, so access follows your identity provider.
- Directory sync — native SCIM 2.0 provisioning and deprovisioning. When someone is deactivated in your directory, they are deactivated in Pulse, which also triggers equipment return workflows.
- Role-based access — roles ranging from a self-service employee portal (own profile only) through viewer, admin, and owner, with granular permissions.
- Brute-force protection — rate limiting on login, signup, password reset, email resend, support, API, and ingest endpoints.
Auditing & visibility
Actions in the product are written to a per-organization audit log that administrators can review in-app. Directory-sync activity is separately logged — each inbound SCIM request, its result, and any error — so you can verify exactly what your identity provider provisioned and when. MDM synchronization records a per-device changelog and can send change reports to email or a webhook.
Application security
- SSRF protection — every outbound URL you configure (webhooks, monitored endpoints) is validated and resolved before use; private, loopback, link-local, and cloud-metadata address ranges are rejected.
- Injection defenses — database access is fully parameterized through an ORM; CSV exports neutralize spreadsheet formula injection; email HTML is sanitized against a strict allowlist.
- Secure defaults — scheduled jobs authenticate with constant-time secret comparison and fail closed if unconfigured. API tokens are scoped and revocable.
- Testing & change management — changes ship through version control and a CI pipeline that runs type checking and an automated test suite, including security regression tests and tenant-isolation tests, before deployment.
- Internal security review — the codebase has undergone a structured internal security review covering authentication, tenant isolation, input handling, and secrets management, and identified findings have been remediated.
Infrastructure & subprocessors
We build on established providers rather than operating our own infrastructure. Each of the following is used for a specific purpose, and each maintains its own security program:
- Vercel — application hosting and edge network.
- Neon — managed PostgreSQL database, including encryption at rest and automated backups with point-in-time recovery.
- Stripe — payment processing. We do not store full card numbers.
- Resend — transactional email delivery.
- Upstash — rate limiting.
- Sentry — application error monitoring.
Data ownership & portability
Your data is yours. Every major record type can be exported to CSV at any time, and an authenticated API is available for programmatic access. Workspace owners can permanently delete operational data from within the product. On termination, we delete or return customer data in accordance with our Terms and Privacy Policy.
Compliance status
We want to be straightforward here rather than imply more than is true. Onyx Labs does not currently hold a SOC 2 report or ISO 27001 certification. The controls described on this page are implemented in the product today, and our infrastructure providers listed above maintain their own SOC 2 attestations. If your procurement process requires a formal attestation, a completed security questionnaire, or a specific contractual commitment such as a Data Processing Agreement, contact us and we will work through it with you directly.
Reporting a vulnerability
If you believe you have found a security vulnerability, please report it to security@onyx-labs.io. Include enough detail to reproduce the issue. We will acknowledge your report, investigate promptly, and keep you updated on remediation. We ask that you give us a reasonable opportunity to address the issue before public disclosure, and that testing avoids privacy violations, data destruction, and service degradation. We will not pursue legal action against researchers who report in good faith and follow these guidelines.