Security

Last updated: July 7, 2026

This page summarizes how AskOptimus protects the data you entrust to it. It complements our Privacy Policy and Terms of Service.

1. Encryption

  • In transit: all traffic between your browser, our API (api.askoptimus.ai), and our MCP server (mcp.askoptimus.ai) is served over HTTPS with TLS 1.2 or higher, using Let’s Encrypt certificates that renew automatically.
  • At rest: the primary database is hosted on Supabase (Postgres), which encrypts data at rest with AES-256. Application-level secrets and OAuth private keys are held in environment variables scoped to the production host and never checked into source control.

2. Authentication and credentials

Three credential types can reach AskOptimus:

  • Session cookies issued by Better Auth for the web dashboard. Cookies are HttpOnly, Secure, and SameSite=Lax.
  • API keys (prefix ev_) that you generate at Settings → API keys. Keys are shown once, stored only as a SHA-256 hash server-side, and can be revoked at any time.
  • OAuth 2.1 access tokens issued to MCP-compatible AI clients (Claude, Cursor, ChatGPT connectors, etc.) after you complete an authorization flow. Access tokens are short-lived RS256 JWTs (15-minute lifetime). Refresh tokens are opaque, hashed at rest, rotated on every use, and revoked on detected reuse. Every authorization uses PKCE (S256).

3. MCP server and third-party AI clients

The AskOptimus MCP server (mcp.askoptimus.ai/mcp) is a thin adapter over our API. It never stores your data itself; it forwards each authenticated request to the same backend that serves the dashboard.

  • External AI clients only see data after you have explicitly authorized them (API key or OAuth consent screen).
  • Every MCP request is authenticated, org-scoped, rate-limited, and recorded in our audit log.
  • You can review every connector you have authorized and revoke any of them at any time at Settings → Authorized apps. Revocation is immediate.

4. Data isolation

Every resource is scoped to an organization or user at query time. Cross-tenant access requires an explicit organization membership recorded in the database. API keys and OAuth tokens inherit the active organization at the moment they are issued and cannot escape it.

5. Rate limiting and audit logging

Programmatic traffic (API keys and OAuth tokens) is rate-limited per credential and emitted to a structured audit log for every request, including the caller identity, the endpoint, the response status, and latency. Raw credentials are never logged; only per-credential fingerprints.

6. Sub-processors

We rely on the following providers to operate the Services. Each processes only the data required to deliver its function:

  • Supabase— managed Postgres (primary data store)
  • Stripe— billing and subscription management
  • Trigger.dev— background job execution (bulk verifications, sequence sends)
  • Google & Microsoft OAuth— sender account and inbox integrations, at your explicit request
  • VerifyMail.io— deliverability fallback for providers that block direct SMTP checks (Google, Microsoft, Yahoo, ProtonMail)

7. Vulnerability disclosure

If you believe you have found a security issue, please email support@askoptimus.ai. We aim to acknowledge new reports within two business days and will keep you informed until the issue is resolved. Please do not publicly disclose an issue before we have had a reasonable opportunity to fix it.

A machine-readable version of this contact is available at /.well-known/security.txt (RFC 9116).

8. Changes to this page

We update this page as our security posture evolves. Material changes will be reflected in the “Last updated” date at the top.