Security

How BotOrient protects
your data and your robots

BotOrient handles business-critical robot configuration data. This page documents exactly how we store it, secure it, and who has access to it.

🇺🇸 US-only

Data location

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

JWT + RLS

Auth

12 months

Audit log

🏗️

Infrastructure

Cloud providerVercel (compute) + Supabase on AWS (data)

Data regionUnited States — AWS us-east-1 (N. Virginia)

CDN / EdgeVercel Edge Network — 100+ global PoPs, US-first routing

Uptime target99.9% monthly — Vercel and Supabase SLA-backed

DatabasePostgreSQL via Supabase — dedicated instance, no shared tenancy

File storageSupabase Storage — S3-compatible, US-only bucket

🔐

Encryption

Data at restAES-256 encryption — enforced at the database and storage layer

Data in transitTLS 1.2 minimum — TLS 1.3 preferred — enforced on all endpoints

API key storageRobot API keys stored as plaintext UUIDs — never in browser cookies

CredentialsManufacturer API keys stored encrypted in Supabase — never logged

PasswordsManaged by Supabase Auth — bcrypt hashed, never accessible to BotOrient

🔑

Access Control

AuthenticationSupabase Auth — email/password with JWT session tokens

Row-level securityAll database tables enforce RLS — users can only access their own data

Robot API keysEach business and each fleet robot gets a unique, isolated API key

Admin accessAdmin endpoints require authenticated email match — no public admin surface

Cross-tenant isolationNo query can return data from another organization — enforced at DB level

Service role keySupabase service role key is server-side only — never exposed to clients

📋

Audit & Logging

Emergency stop logEvery kill switch activation and resumption is time-stamped and stored

Rule changesRule creation, updates, and deletions tied to authenticated user and timestamp

API accessRobot config endpoint requests logged with IP, timestamp, and API key prefix

Webhook eventsAll webhook pushes logged with payload hash and delivery status

RetentionAudit logs retained for 12 months minimum

🗂️

Data Handling

Data ownershipAll customer data belongs to the customer — BotOrient does not sell or share it

AI processingOrientation package content sent to Anthropic Claude API for generation — no training on customer data per Anthropic's policy

Floor plansUploaded floor plans stored in US-only Supabase Storage, accessible only by the uploading account

EmailTransactional emails via Resend — no marketing profiling

SubprocessorsVercel, Supabase (AWS), Anthropic, Resend, Stripe — all US-based primary operations

DeletionAccount and associated data can be deleted on request — email hello@botorient.com

📄

Compliance Roadmap

Current postureAudit-ready for state and local government procurement

SOC 2 Type IIIn planning — target initiation Q4 2026

GDPRCompliant — data processing agreement available on request

CCPACompliant — privacy policy reflects California resident rights

FedRAMPNot yet certified — federal agency deployments should contact sales

HIPAABAA available for healthcare facility contracts — contact sales@botorient.com

🛡️ Responsible Disclosure

If you discover a security vulnerability in BotOrient, please report it privately to security@botorient.com. We commit to acknowledging your report within 48 hours and resolving critical issues within 14 days. We do not pursue legal action against researchers acting in good faith.

Need security documentation for procurement?

We provide W-9, insurance certificates, vendor questionnaires, and DPA on request.

Request Documents →

How BotOrient protectsyour data and your robots