Security
How We Keep Your Data Safe
Your project data stays private and protected. Here is exactly what we do to earn your trust.
On this page
Minimal Data Access
Omnio View connects to your Jira workspace through Atlassian's official OAuth flow. We only read the minimum fields needed to generate your reports:
What we read
- Issue keys (e.g. PROJ-123)
- Issue summaries
- Status and priority
- Created / updated dates
What we never read
- Names or email addresses
- Issue descriptions or comments
- Attachments or files
- Custom fields beyond story points
Your data is used for one purpose: generating AI-powered project reports. It is never sold, shared with third parties, or used for anything else.
Encryption Everywhere
| Where | How |
|---|---|
| Browser ↔ Omnio View | HTTPS/TLS on every request |
| Omnio View ↔ Jira | HTTPS/TLS via Atlassian OAuth |
| Database connections | SSL required in production |
| Passwords | Hashed with bcrypt — we never store or see your password |
| Session tokens | Stored as SHA-256 hashes, not plaintext |
| Backups | AES-256 encrypted at rest |
Authentication & Access Control
Strong passwords
Minimum 10-character passwords required for all accounts. Passwords are hashed with bcrypt before storage.
Session management
Sessions expire after 60 minutes of inactivity (24-hour maximum). You can view and revoke your active sessions at any time.
Automatic session revocation
When you change or reset your password, all other sessions are immediately revoked. Stolen cookies become useless.
Role-based permissions
Four roles — superadmin, admin, owner, viewer — control who can configure the system and who can view reports. Configuration changes require admin privileges.
Login attempts are rate-limited to prevent brute-force attacks. Email verification is required for new accounts.
Organisation Isolation
Omnio View is multi-tenant: each customer organisation has completely isolated data. Your team's data is never mixed with or accessible by another organisation.
- Every database query filters by your organisation
- Admin actions are scoped to your own organisation only
- Report exports verify organisation ownership before returning data
- Within your organisation, admins assign users to specific projects
What this means in practice: Even if someone guesses a report URL, they cannot access it unless they belong to the same organisation that created it.
AI & Privacy
Omnio View uses AI to generate project summaries and health insights. Here is how we protect your data during AI processing:
- PII scrubbing — all names and email addresses are removed before data reaches the AI model
- Pre-flight validation — an automated check confirms the payload is clean before every AI request
- No training on your data — your project data is not used to train AI models
- Minimal context — only issue keys, scrubbed summaries, statuses, and priorities are sent
Credentials, tokens, and raw user data are never sent to the AI provider.
Secure Sharing
When you share a report via a link:
- Each link uses a cryptographically random 256-bit token — links cannot be guessed
- Links can be password-protected with the same bcrypt hashing used for user accounts
- Links can be set to expire after a time you choose
- Access is tracked so you can see who viewed a shared report
- Shared links give read-only access to a single report — nothing else
GDPR Compliance
Omnio View is built with GDPR principles at its core.
| Right | How we support it |
|---|---|
| Right to erasure | Delete your account at any time. Deletion is logged for compliance, and backup restores automatically scrub deleted user data. |
| Data minimisation | We collect only the Jira fields needed for reporting. Personal identifiers are stripped before AI processing. |
| Right to restrict processing | Accounts can be flagged to halt all data processing. |
| Audit trail | All data access and processing is logged with 90-day retention. |
Infrastructure
| Measure | Detail |
|---|---|
| Hosting | Render managed infrastructure with automatic TLS certificates |
| Security headers | Content Security Policy, X-Frame-Options, HSTS, and more on every response |
| CORS | Cross-origin requests restricted to explicit allowlists |
| OAuth protection | All OAuth flows (Jira, GitHub, Google) use cryptographically signed state tokens |
| Cookie security | httpOnly, Secure, SameSite=Lax — cookies cannot be read by JavaScript or sent cross-site |
| Rate limiting | API endpoints are rate-limited to prevent abuse |
| Request size limits | Oversized requests are rejected to prevent resource exhaustion |
| Input validation | All inputs validated with strict schemas; errors never leak internal details |
Questions?
If you have questions about how Omnio View handles your data, or if you would like to request data deletion or a copy of your data, contact us at contact@omnioview.com.
For our full privacy policy, see Privacy. For terms of service, see Terms.