# Security · Onto
> Onto's security posture, infrastructure controls, and responsible disclosure process.

**Source:** /legal/security
**Extracted:** 2026-05-20T20:59:17.565Z

---
Legal

## Security

Onto's security posture, infrastructure controls, and how to report vulnerabilities responsibly.

Status

Drafting · pre-launch

Effective

Upon public availability

Document

v0.1 · draft

Contact

[founder@buildonto.dev](mailto:founder@buildonto.dev)

What this document will cover

*   01Infrastructure: edge runtime on Vercel, Cloudflare for caching, Supabase for primary storage — all SOC 2 Type II providers
*   02Authentication: API keys per project, scoped permissions, key rotation, and revocation
*   03Encryption in transit (TLS 1.3) and at rest (AES-256) across every storage layer
*   04Secrets handling, employee access controls, and audit logging
*   05Responsible disclosure: where to report vulnerabilities and our response SLA
*   06Roadmap toward SOC 2 Type II and ISO 27001 attestation

Onto is operating in private preview. We're finalising this policy ahead of general availability. If you need a copy under NDA or have a specific compliance question, email [founder@buildonto.dev](mailto:founder@buildonto.dev) and we'll respond within one business day.

[Back to home](/)