Security

How We Keep Your Data Safe

Your project data stays private and protected. Here is exactly what we do to earn your trust.

Minimal Data Access

Omnio View connects to your Jira workspace through Atlassian's official OAuth flow. We only read the minimum fields needed to generate your reports:

What we read

  • Issue keys (e.g. PROJ-123)
  • Issue summaries
  • Status and priority
  • Created / updated dates

What we never read

  • Names or email addresses
  • Issue descriptions or comments
  • Attachments or files
  • Custom fields beyond story points

Your data is used for one purpose: generating AI-powered project reports. It is never sold, shared with third parties, or used for anything else.


Encryption Everywhere

WhereHow
Browser ↔ Omnio ViewHTTPS/TLS on every request
Omnio View ↔ JiraHTTPS/TLS via Atlassian OAuth
Database connectionsSSL required in production
PasswordsHashed with bcrypt — we never store or see your password
Session tokensStored as SHA-256 hashes, not plaintext
BackupsAES-256 encrypted at rest

Authentication & Access Control

Strong passwords

Minimum 10-character passwords required for all accounts. Passwords are hashed with bcrypt before storage.

Session management

Sessions expire after 60 minutes of inactivity (24-hour maximum). You can view and revoke your active sessions at any time.

Automatic session revocation

When you change or reset your password, all other sessions are immediately revoked. Stolen cookies become useless.

Role-based permissions

Four roles — superadmin, admin, owner, viewer — control who can configure the system and who can view reports. Configuration changes require admin privileges.

Login attempts are rate-limited to prevent brute-force attacks. Email verification is required for new accounts.


Organisation Isolation

Omnio View is multi-tenant: each customer organisation has completely isolated data. Your team's data is never mixed with or accessible by another organisation.

What this means in practice: Even if someone guesses a report URL, they cannot access it unless they belong to the same organisation that created it.


AI & Privacy

Omnio View uses AI to generate project summaries and health insights. Here is how we protect your data during AI processing:

Credentials, tokens, and raw user data are never sent to the AI provider.


Secure Sharing

When you share a report via a link:


GDPR Compliance

Omnio View is built with GDPR principles at its core.

RightHow we support it
Right to erasureDelete your account at any time. Deletion is logged for compliance, and backup restores automatically scrub deleted user data.
Data minimisationWe collect only the Jira fields needed for reporting. Personal identifiers are stripped before AI processing.
Right to restrict processingAccounts can be flagged to halt all data processing.
Audit trailAll data access and processing is logged with 90-day retention.

Infrastructure

MeasureDetail
HostingRender managed infrastructure with automatic TLS certificates
Security headersContent Security Policy, X-Frame-Options, HSTS, and more on every response
CORSCross-origin requests restricted to explicit allowlists
OAuth protectionAll OAuth flows (Jira, GitHub, Google) use cryptographically signed state tokens
Cookie securityhttpOnly, Secure, SameSite=Lax — cookies cannot be read by JavaScript or sent cross-site
Rate limitingAPI endpoints are rate-limited to prevent abuse
Request size limitsOversized requests are rejected to prevent resource exhaustion
Input validationAll inputs validated with strict schemas; errors never leak internal details

Questions?

If you have questions about how Omnio View handles your data, or if you would like to request data deletion or a copy of your data, contact us at contact@omnioview.com.

For our full privacy policy, see Privacy. For terms of service, see Terms.