Trust Center
Last updated: 2026-02-21
OneCount Pty Ltd · ACN 695 536 415 · ABN 29 695 536 415
OneCount is an inventory, compliance, and traceability platform for hospitality operators. This page describes how we handle security and data today — plainly, including where we are still building.
Where your data lives
Our production database runs on Supabase, hosted in the Southeast Asia (Singapore) region. We do not currently offer a choice of data region, and we do not claim Australian data residency — if your organization requires data to stay in a specific jurisdiction, ask us before you rely on this platform for regulated data.
Access control and tenant isolation
Every table in our production schema has row-level security (RLS) enabled. Our organization identifier (org_id) is a plain text key, and cross-tenant access checks are enforced both by RLS policies and by SECURITY DEFINER helper functions in the database, so that application code cannot accidentally bypass tenant scoping.
We run an automated tenant-scope scanner across the codebase as part of our internal review process. As of our most recent full pass, it reported 0 findings across all severities. We treat any regression from that baseline as a release blocker.
See Security for the role-based access model (staff, manager, owner) and audit-trail detail, and Vendor Data-Processing Posture for the code-verified list of vendors and what each one can see.
Monitoring
We use Sentry for crash and error monitoring across our mobile and web surfaces, with alert review as part of our operating rhythm.
Certifications — honestly, where we stand today
We are not SOC 2 audited. We are not ISO/IEC 27001 certified. We do not claim either.
SOC 2 Type I (covering Security, Availability, and Confidentiality) is our target, not something we have completed. We are building the internal control baseline for it: a control matrix, a risk and gap register, an evidence register, and operating policies. That work is in progress. We will update this page the day a report exists — not before.
ISO/IEC 27001 is a later-stage goal, not an active project, unless a specific customer requirement pulls it forward.
We do not publish an uptime SLA today. We do not claim a defined recovery point/recovery time objective (RPO/RTO) today — that is an open item we are working on, not a claim we're making.
Who processes your data (sub-processors)
We use a small number of named vendors to run the product. As of today:
| Vendor | Role |
|---|---|
| Supabase | Database, authentication, row-level security, backend functions (Singapore region) |
| OpenAI | AI-assisted features (e.g., business intelligence queries, document/invoice parsing) |
| RevenueCat | Subscription and entitlement management |
| Vercel | Website and dashboard hosting |
| Sentry | Crash and error monitoring |
OpenAI is the only AI vendor in production today — we do not currently send any data to Anthropic or any other AI provider. We have not yet published a formal, standalone subprocessor list with executed DPA status per vendor; that is tracked internally and is one of the items a future revision of this page should close out.
What we are not claiming
To be direct about the gaps, we do not claim:
- An uptime SLA (no percentage published).
- SOC 2 certification or attestation of any type (Type I or Type II) — no report exists yet.
- ISO/IEC 27001 certification.
- A defined, tested backup recovery point/recovery time objective — point-in-time recovery is not yet enabled on our production database, by a deliberate, documented cost-deferral decision made at our current customer volume. We plan to revisit this before it becomes a live commitment.
- Data residency guarantees in any specific jurisdiction (our database region is Singapore, not customer-selectable today).
Questions
Security or compliance questions from prospective customers: hello@onecount.ai.