Your Data, Protected
Security and privacy are foundational to how we build. Here's how we protect your data at every level.
Data Handling Practices
Encryption in Transit
All data is transmitted over TLS 1.2+ encrypted connections. API calls, webhook payloads, and user sessions are all encrypted.
Encryption at Rest
Your data is encrypted at rest using AES-256. Integration credentials receive an additional layer of application-level encryption.
Row-Level Security
Every database table uses Supabase RLS policies ensuring users can only access their own workspace data. No cross-tenant access is possible.
Authentication
Secure authentication via magic links and Google OAuth through Supabase Auth. No passwords are stored. Sessions are managed with secure, HTTP-only tokens.
Privacy by Plan
| Feature | Trial | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Data used for AI training | Never | Never | Never | Never |
| Anonymized usage analytics | Opt-out available | Opt-out available | Opt-in only | Opt-in only |
| A2A protocol support | ||||
| Local data storage (browser) | ||||
| Self-hosted runtime | ||||
| Data export | ||||
| DPA available |
A2A Protocol & Data Minimization
The Agent-to-Agent (A2A) protocol enables direct communication between AI agents. For users with A2A-compatible local agents, raw business data can remain on your own infrastructure — only orchestration metadata passes through our cloud.
This approach keeps sensitive data local while still leveraging our agent coordination capabilities. Available on all paid plans (Starter, Pro, and Enterprise).
Local Data Storage
Browser cache (Pro+)
On Pro and Enterprise plans, local data storage keeps a copy of your task results on your device using your browser's built-in IndexedDB. If your device is unavailable, you can always access your data from any browser by logging in. The local cache is an additional convenience layer; your data on our servers is always the source of truth.
Self-hosted runtime (Enterprise)
Enterprise customers can run the full OHWOW runtime on their own infrastructure. All agent inputs, outputs, and conversations stay on your servers in a local SQLite database. Only task titles and operational metrics sync to the cloud. This provides complete data sovereignty for regulated industries and security-sensitive environments.
Subprocessors
Anthropic (Claude)
AI model provider for task execution
SOC 2 certified
Operates under Commercial Terms. Your data is never used for AI model training
Supabase
Database, authentication, and file storage
SOC 2 Type II
Row-level security ensures strict data isolation
Dodo Payments
Payment processing and subscription management
PCI DSS compliant
We never store your payment card details directly
Incident Response
In the event of a confirmed data breach, we will notify affected users within 72 hours, in compliance with GDPR requirements. Our notification will include the nature of the breach, data categories affected, and remedial actions taken.
To report a security concern, contact security@ohwow.fun.
Data Processing Agreement
A Data Processing Agreement (DPA) is available for Pro and Enterprise plan customers. The DPA covers data processing terms, GDPR compliance, subprocessor commitments, and references Anthropic's DPA for the AI processing chain.
To request a DPA, contact us at security@ohwow.fun.
Security Contact
If you discover a security vulnerability, please report it responsibly to security@ohwow.fun. We take all reports seriously and will respond within 48 hours.