Security & Compliance

Security at Obligo

Security built for compliance operations. Obligo is designed to protect sensitive regulatory data while providing structured operational control for businesses and professional compliance operators.

Encryption

AES-256 + TLS 1.2+

Access Control

Role-based, least privilege

Audit Trail

Immutable event logging

Isolation

Row-level tenant separation

Compliance Data as Operational Infrastructure

We treat compliance data not as stored information, but as critical operational infrastructure. Every layer of Obligo — from authentication to document storage — is engineered to ensure your regulatory data remains protected, auditable, and under your control at all times.

Encryption at Every Layer

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Sensitive fields such as credentials and tokens receive additional application-level encryption before storage.

TLS 1.2+ for all connections
AES-256 encryption at rest
Application-level field encryption for secrets

Role-Based Access Control

Every user action is governed by a granular permission model. Workspace owners, admins, and members each operate within clearly defined boundaries — ensuring people only see and do what they are authorised to.

Granular role assignments per workspace
Least-privilege by default
Admin-controlled invitation flow

Audit & Event Logging

Obligo maintains an immutable event log of all significant actions — document uploads, obligation status changes, user invitations, and configuration updates — giving you a complete compliance trail.

Timestamped, immutable event records
User-attributed action history
Filterable activity dashboard

Tenant Isolation

Each workspace operates in a logically isolated environment. Row-level security policies ensure that one organisation's data is never accessible to another — even at the database query level.

Strict row-level security enforcement
Workspace-scoped data boundaries
Zero cross-tenant data leakage

Document Protection

Uploaded compliance documents are stored in isolated, access-controlled buckets. Downloads are served through signed, time-limited URLs — never publicly accessible links.

Private, scoped storage buckets
Signed URLs with automatic expiry
No public document endpoints

Session & Authentication Security

User sessions are managed with secure, httpOnly cookies and short-lived tokens. Password policies enforce minimum complexity and accounts are protected against brute-force attempts.

Secure httpOnly session cookies
Short-lived, rotatable auth tokens
Brute-force throttling & lockout

API & Integration Security

All server-side actions are authenticated and validated. Input is sanitised, rate-limited, and processed through typed validation layers to prevent injection and abuse.

Server-side action authentication
Input sanitisation & typed validation
Rate limiting on sensitive endpoints

Infrastructure & Hosting

Obligo runs on enterprise-grade cloud infrastructure with automated backups, redundancy, and continuous monitoring. Our hosting providers maintain SOC 2 and ISO 27001 certifications.

Automated daily backups with point-in-time recovery
Multi-region redundancy
SOC 2 & ISO 27001 certified infrastructure

Incident Response & Monitoring

We operate continuous uptime and error monitoring with automated alerting. In the event of a security incident, our response protocol includes immediate containment, investigation, and transparent communication.

24/7 automated error & uptime monitoring
Defined incident response playbook
Transparent breach notification policy

Responsible Disclosure

We value the security research community. If you discover a vulnerability in Obligo, please reach out to us responsibly. We are committed to investigating and addressing valid reports promptly.