Security & Compliance

Built for trust. Verified by code.

Every layer of OFM Finance Hub — from browser to database — is designed so that only the right people can read the right data.

Encryption

Step 1

Derive

Your password is processed through Argon2id key derivation entirely in the browser, so a raw encryption key is never transmitted.

Step 2

Encrypt

Each sensitive field is encrypted with AES-256-GCM on your device before the data leaves it.

Step 3

Store

Only the resulting ciphertext reaches our servers — plaintext values are never written to the database.

PBKDF2-HMAC-SHA-256 (600,000 iterations) used as fallback on iOS WebKit and restricted Android devices.

Role-Based Access Control

Access is enforced server-side through five distinct roles. Permissions are checked at the API and database layers — not just the UI — so no role can escalate its own privileges through direct API calls.

Admin

Full access to all agency data, settings, team management, billing, and audit logs. Can invite or remove team members and adjust role assignments.

Accountant

Read and write access to financial records, invoices, payout batches, journal entries, and reports. Cannot manage team members or modify security settings.

Bookkeeper

Can import transactions, categorise expenses, and manage day-to-day ledger entries. Does not have access to payout processing or HR records.

HR Manager

Manages employee and model roster data, contracts, compensation structures, and payout records. Cannot access raw financial ledger or system settings.

Model Portal User

Read-only self-service portal — models can view their own earnings, invoices, payout history, and profile. Isolated from all other agency data by Row-Level Security.

Auditability & Two-Factor Authentication

Audit Logs

Every significant action — creates, updates, deletes — is recorded with a timestamp, actor identity, IP address, and before/after values. Logs are retained for 1 year; a scheduled job purges entries older than 365 days. Admins can mark individual entries as reviewed but cannot delete individual records outside of team deletion.

Two-Factor Authentication

TOTP-based 2FA (compatible with Authy, Google Authenticator, and any RFC 6238 app) is available for all accounts. Setup generates a set of single-use backup codes stored in encrypted form. 2FA is strongly recommended for all admin and accountant roles.

Compliance & Data Rights

GDPR Data Subject Request Portal

We maintain a structured workflow covering GDPR Articles 12 and 15–21: the right of access, rectification, erasure, restriction, portability, and objection. All data subject requests receive a response within 30 days of receipt. Submit requests to hello@ofmfinances.com.

EU Data Residency

Your application data is stored on Supabase servers in Dublin, Ireland (EU West region), within the European Economic Area. See our privacy policy for the full sub-processor list.

Data Retention

Audit logs are retained for 1 year; a cron job permanently deletes entries after 365 days. When an agency team is deleted, a 30-day soft-deletion window applies, after which all team data is permanently and irreversibly removed.

Art. 12 — Transparent informationArt. 15 — Right of accessArt. 16 — RectificationArt. 17 — ErasureArt. 18 — RestrictionArt. 20 — PortabilityArt. 21 — Objection

Infrastructure Security

Strict Content Security Policy

Script execution is restricted to first-party origins plus Stripe. Inline scripts are blocked. This limits the blast radius of any potential XSS to near-zero.

Stripe-secured payment processing

Payment card data is entered directly into Stripe's hosted fields and never touches our servers. Our backend receives only Stripe tokens and subscription status.

Dependency hygiene

Dependencies are reviewed and updated regularly. npm audit is run as part of the build pipeline to flag known vulnerabilities before deployment.

Ready to run a secure agency?

Start with a plan that includes every security feature described on this page — no add-ons required.