Built for executive data
The CEO's calendar, inbox, and decisions are some of the most sensitive data in the business. Here is exactly how ExecOS handles it — including what we don't yet claim.
Encryption at rest & in transit
All customer data is stored in managed Postgres provided by Supabase, which encrypts data at rest using AES-256 on the underlying volumes. Traffic between your browser, our edge runtime, and the database is encrypted with TLS 1.2 or higher.
Tenant isolation via RLS
Every workspace-scoped table has row-level security enabled. Policies derive the active workspace from the authenticated user and reject reads or writes that cross the boundary. There is no application-level path that bypasses RLS on user-facing requests.
Role-based access
Roles live in a dedicated user_roles table, not on the profile. A SECURITY DEFINER function (has_role) is used inside policies, which avoids both privilege escalation and the recursive-policy traps common to role-on-user designs.
Server-only secrets
The service-role key, Stripe secret, and AI gateway credentials live only in server-side environment variables. They are never imported by client code and never serialized into a response.
Audit logging
Sensitive workspace actions — role changes, invites issued and revoked, member removals, account deletions, and full data exports — are written to an append-style audit_logs table that includes actor, action, entity, IP, and metadata.
Hardened edge runtime
The app runs on Cloudflare Workers behind a strict Content-Security-Policy that disallows inline scripts from untrusted origins, plus HSTS, Referrer-Policy, X-Content-Type-Options, X-Frame-Options, and a conservative Permissions-Policy.
Data export & deletion
Workspace owners can export every record they control as JSON, and delete their account (and the workspace when they are the last admin) from Settings → Account. Deletions cascade across all workspace-scoped tables.
What we don't claim
ExecOS is not yet SOC 2 or ISO 27001 certified, and we don't currently operate a public bug-bounty programme. We are happy to discuss our roadmap toward formal attestations; email security@execos.app.