Trust & Safety

Security at Ollegacy

We treat security as a core product requirement — not an afterthought. Here is how we protect your community's data.

Last updated: July 11, 2026

🔐

Encrypted in transit

All data between your browser and our servers is encrypted via TLS 1.2+. We enforce HTTPS everywhere.

🗄️

Encrypted at rest

Database storage is encrypted at rest on Railway. Media files are stored on Backblaze B2 with server-side encryption.

🛡️

Password security

Passwords are hashed with bcrypt (minimum 10 rounds). We never store plain-text passwords.

🔑

Token rotation

Refresh tokens are rotated on each use. A detected replay attack immediately invalidates the session family.

⏱️

Rate limiting

All authentication endpoints are rate-limited: 10 login attempts/minute, 5 registration attempts/10 minutes.

🍪

Secure cookies

Session cookies are HttpOnly, Secure, and SameSite=Lax. Access tokens are short-lived (15 minutes).

🏗️

Tenant isolation

Every database query is scoped by tenant ID. Community data is never accessible across organisation boundaries.

💳

Payment security

We never store card numbers. All payment processing is handled by Stripe (PCI DSS Level 1 certified).

Infrastructure

API: Hosted on Railway with automatic TLS. Database is PostgreSQL with encrypted storage.

Frontend: Hosted on Vercel with global CDN. All static assets are served over HTTPS.

Media storage: User-uploaded images (profile photos, cover images) are stored in Backblaze B2 with access controls. Only pre-signed URLs are issued for access.

Backups: Database backups are performed automatically on a daily schedule. Backups are retained for 7 days.

Access Controls

Access to production systems is restricted to authorised engineers only via SSH key authentication. No shared credentials are used. All deployments are performed through CI/CD pipelines with audit logs.

Platform staff access to the admin console (/platform) requires separate credentials distinct from tenant admin accounts, and is protected by rate-limited authentication.

Authentication Architecture

Ollegacy uses a short-lived access token (JWT, 15-minute expiry) and long-lived refresh token architecture. Refresh tokens are stored as HttpOnly cookies and rotated on every use. Stolen refresh token replay is detected via family invalidation.

Three separate token namespaces exist: platform users, community admins, and community members — each with independent refresh token stores and cookie names.

Stripe & Payment Security

Ollegacy is not a payment processor. All payment card data is collected, processed, and stored by Stripe, which is certified as a PCI DSS Level 1 Service Provider. We verify Stripe webhook events using HMAC-SHA256 signature validation on every webhook received.

Stripe Connect is used to facilitate community fundraising. Each tenant must complete Stripe's identity verification (Know Your Customer) before accepting real donations.

Vulnerability Disclosure

We take security disclosures seriously. If you have discovered a potential security vulnerability in the Ollegacy platform, please contact us at:

Security Disclosure

Email: security@ollegacy.com

Please include a description of the vulnerability, steps to reproduce, and potential impact. We aim to acknowledge all valid disclosures within 48 hours and to resolve critical issues within 7 days.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it.

What We Do Not Do

  • We do not sell user data to third parties
  • We do not store plain-text passwords or payment card numbers
  • We do not use community member data for advertising
  • We do not grant unauthorised access to community data to third parties without explicit consent

Reporting a Security Issue

To report a security concern, email security@ollegacy.com. For non-security support issues, contact support@ollegacy.com.