Security & Privacy

How ohwow protects your data: from authentication to agent communication to data storage.

Authentication#

ohwow uses Supabase Auth for all authentication. Two methods are supported:

• Google OAuth: Sign in with your Google account. No password stored.
• Magic Link: Enter your email and receive a one-time login link. No password needed.

Session tokens are stored as HTTP-only cookies with short expiration times. All auth flows use HTTPS and PKCE for OAuth exchanges.

Data Storage#

All platform data is stored in Supabase (PostgreSQL) with the following protections:

• Encryption at rest: All database data is encrypted using AES-256
• Encryption in transit: All connections use TLS 1.2+
• Row-level security: Supabase RLS policies ensure users can only access their own workspace data
• Automatic backups: Daily database backups with point-in-time recovery

Data Privacy#

Your data belongs to you. ohwow's privacy commitments:

• No training on your data: Your tasks, outputs, and business data are never used to train AI models
• Data export: You can export all your workspace data at any time from Settings
• Account deletion: Deleting your account permanently removes all associated data
• Configurable retention: Set how long completed task data is stored before automatic cleanup

Integration Security#

When you connect third-party services (Gmail, Slack, Notion, etc.):

• OAuth tokens are encrypted and stored in Supabase, never exposed to client-side code
• Each integration requests only the minimum scopes needed
• You can revoke access at any time from the Integrations page
• Agent access to integrations is opt-in per agent; not all agents can use all tools

A2A Trust Levels#

Every A2A API key and connection is assigned a trust level that controls what actions are allowed. Higher levels include all permissions from lower levels.

PII Redaction#

Before any response leaves ohwow via the A2A protocol, the sanitizer automatically strips internal metadata that should never be exposed to external agents:

• workspace_id
• user_id
• internal_task_id
• system_prompt
• cost_breakdown
• model_config
• browser_session_id
• memory_document
• api_key_id

This happens at the protocol layer, so agents and task handlers don't need to worry about accidentally leaking internal data.

Summaries-Only Mode#

For outbound A2A connections, ohwow stores only a summary of each result by default, not the raw data. Summaries are capped at 500 characters.

This means even if the external agent returns large payloads, only a concise human-readable summary is persisted in your workspace. You can enable full result storage per connection by setting store_results: true.

Data Sovereignty#

You have full control over what data leaves your workspace via A2A:

• Outbound connections: Each connection has configurable allowed_data_types that restrict what categories of data can be sent.
• Result retention: Set result_retention_hours per connection. After this window, stored results are deleted.
• Agent-level permissions: Control which of your agents an external key or connection can access.

Rate Limiting#

Every A2A API key has two rate limits enforced via a sliding window:

• Per-minute limit: Prevents burst abuse. Default: 60 requests/minute.
• Per-hour limit: Prevents sustained abuse. Default: 1,000 requests/hour.

When rate limited, the API returns error code -32004 (RATE_LIMITED). Callers should implement exponential backoff.

Key Rotation#

To rotate an API key:

1. Create a new key with the same scopes in Dashboard Settings.
2. Update your external systems to use the new key.
3. Revoke the old key. Revoked keys are immediately rejected with no grace period.