Security & Compliance
How data is protected, and what Olto does not claim.
Last updated July 2026
Research IP, protocol designs, and experimental data are protected by several independent layers: encryption in transit and at rest, database row-level security, audit logging, and authentication controls. Each is described below.
Encryption
- At rest: data is encrypted (AES-256) by our managed database and object-storage providers.
- In transit: all traffic is served over HTTPS/TLS (1.3 with 1.2 fallback).
Data Isolation
Every database row is protected by PostgreSQL Row-Level Security (RLS) policies. Users can only read and write data they own. Organization members can access shared resources only within their organization scope. User requests are constrained by RLS at the database level; the client application cannot read or write beyond what a user's policies allow.
Audit Logging
Every significant action is logged to the audit_log table with: user ID, action type, resource identifier, IP address, user agent, and timestamp. Logs are append-only (no client-facing update or delete policies). Lab and Enterprise plan administrators can view audit logs from the Team settings page.
Authentication
Passwords are hashed using bcrypt via Supabase Auth. Two-factor authentication (TOTP) is available now — turn it on in Settings → Security with any authenticator app (Google Authenticator, Authy, 1Password, and others), then save your one-time backup recovery codes somewhere safe in case you lose your device. Keep Security Alert Emails on as well to catch unrecognized sign-ins. SSO/SAML integration for institutional identity providers is planned for Enterprise plans.
SOC 2 & HIPAA posture
Olto Discovery is built on security-conscious infrastructure providers and designed with SOC 2-aligned controls in mind. Olto Discovery itself has not completed a SOC 2 audit unless expressly stated. We rely on infrastructure providers with established security programs, including SOC 2-compliant providers where available.
Olto Discovery is not, by default, a HIPAA-covered platform and does not provide a Business Associate Agreement on standard plans. A HIPAA-capable configuration with a Business Associate Agreement (BAA) is available for Enterprise customers under a separately scoped enterprise agreement. Until that agreement is in place, do not upload protected health information (PHI), patient-identifiable clinical data, classified information, export-controlled data, controlled unclassified information (CUI), or other regulated sensitive data.
For Enterprise compliance discussions, contact enterprise@oltodiscovery.com. To report a security concern or vulnerability, contact security@oltodiscovery.com.
Data Residency
By default, data is stored in the United States. EU data residency and private-cloud deployment may be available under a separately scoped enterprise agreement.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@oltodiscovery.com. We aim to acknowledge security reports promptly and maintain a responsible disclosure policy.