Security
How oddly protects your data, your account, and the integrations you connect.
HTTPS & data transit
All connections to oddly are encrypted in transit using TLS 1.2 or higher. HSTS is enabled on every public surface, and we do not accept plaintext connections. Certificates are managed automatically and rotated on a regular cadence.
Access control
Administrative access to production is limited to authorised personnel on a least-privilege basis. Internal accounts require two-factor authentication. Credentials and signing keys are held in a managed key-management system, never in source code, never in logs, and never returned to a user-facing surface.
Change management
Changes to production go through code review before merge. Automated testing runs on every change. Dependencies are scanned for known vulnerabilities, and updates ship through the same review pipeline as feature work. Rollback is a single, audited action.
Logging & monitoring
State-changing operations are written to an append-only audit log with timestamps and the responsible actor. Logs are scrubbed of credentials and tokens before being persisted. Health checks watch the public API surface and alert on-call when error rates or latencies exceed agreed thresholds.
Incident management
If a security incident affects your data, we will notify you within 72 hours of confirming the impact, in line with PDPA and GDPR breach-notification timelines, and provide the information you need to meet your own obligations. Service status is reported on our status page.
Customer data
Customer data is encrypted at rest. Backups inherit the same encryption posture. The personal data we hold for an account is limited to:
- Account email, name, and the company name you signed up with
- Brand and store identifiers from sources you connect
- Billing identifier (held by our payments processor; we never see card numbers)
We will never sell your data, and we will never allow a third party to access it for purposes other than operating the service you are paying for.
Architecture
oddly runs on globally distributed edge infrastructure: isolated compute sandboxes, encrypted database, managed WAF, and least-privilege bindings between layers. The platform has no long-lived servers and no shell-accessible hosts.
Compliance
- PDPA (Singapore). Notification, consent, access, correction, and withdrawal-of-consent rights are honoured today.
- GDPR (EU/UK). Access, rectification, erasure, portability, objection, and restriction rights are honoured for data subjects in scope.
- Google API Services User Data Policy. Use of information received from Google APIs adheres to the policy, including the Limited Use requirements.
- SOC 2. The control set we operate against is patterned on SOC 2 Trust Services Criteria. Formal attestation is planned.
- ISO 27001. Roadmap item.
Responsible disclosure
If you have found a security issue in oddly, please report it. We treat researchers as collaborators.
Where to send it
Email [email protected]. Subject line: SECURITY: followed by a one-line summary.
What to include
- A description of the issue and its impact.
- Steps to reproduce, ideally with a proof-of-concept that does not affect other customers' data.
- Your contact details and whether you would like to be credited if the issue is confirmed.
What we commit to
- Acknowledge receipt within 3 business days.
- Triage and validate within 10 business days.
- Keep you updated on remediation progress.
- Credit you in the release notes when the fix ships, with your permission.
- Not pursue legal action against good-faith researchers who follow this policy and avoid harm to other customers.
Out of scope
- Denial of service. Please do not run load tests against the production environment.
- Social engineering of oddly staff or customers.
- Findings that depend on physical access to a user's device.
- Reports generated by automated scanners with no demonstrated impact.
Contact
Security: [email protected]
Privacy and data requests: [email protected]
General: [email protected]