OptservOptserv
Resources

Encryption at Rest and in Transit

How Optserv encrypts data at rest and in transit — TLS for all traffic, database encryption, and client-side encryption for Account Sharing.

Optserv encrypts data both while it's moving (in transit) and while it's stored (at rest).

In transit

All communication between your browser and Optserv's servers uses TLS (Transport Layer Security). This encrypts the data in transit so that:

  • Credentials, personal data, and business data cannot be intercepted in transit
  • Man-in-the-middle attacks cannot read the contents of requests
  • This applies to optserv.ai, app.optserv.ai, and all API endpoints

Modern TLS versions are enforced. Outdated protocols (TLS 1.0, 1.1) are not supported.

At rest

Data stored in Optserv's database is encrypted at rest. This protects stored data in the event of physical media access or unauthorized infrastructure access.

Database encryption at rest is managed at the infrastructure layer (Supabase/PostgreSQL). It is transparent to the application — queries work normally, but the underlying storage is encrypted.

Account Sharing: additional client-side encryption

Account Sharing goes beyond standard encryption with an additional layer: client-side encryption before data reaches Optserv's servers.

When you store a credential in Account Sharing:

  1. The credential is encrypted in your browser using AES-GCM 256-bit
  2. Only the encrypted ciphertext is sent to and stored on Optserv's servers
  3. Optserv never receives or stores the plaintext credential

This means even Optserv employees cannot read your Account Sharing credentials. The decryption keys never leave the client.

See Accounts Vault Crypto for the full cryptographic model.

What encryption does not protect against

Encryption protects data from external attackers and unauthorized infrastructure access. It does not protect against:

  • A legitimate authenticated user with sufficient permissions choosing to export or misuse data
  • Account compromise (e.g., a staff member's password is phished)
  • Social engineering

The role and access controls in Optserv (RBAC, RLS) are the controls that protect against internal misuse. Encryption and access control are complementary — neither replaces the other.

← PreviousData Handling & AuditabilityNext →Tenant Isolation & RLS