Security
Your data, kept where it should be.
Security is not a bolt-on. Isolation between businesses, encryption, and UK and EU data residency are built into how the platform works. Here is what that means in plain terms.
How we protect your data
One business can never read another
Every table that holds your data is tagged with your business and locked down by Postgres row-level security. A query for one business cannot return another business’s rows, even if the application code asks for them.
Encrypted, and classified before it is stored
Data is encrypted at rest and in transit. We classify every column when it is added, so the more sensitive a field is, the more protection it gets. Nothing sensitive is logged.
Your data stays in the UK and EU
The database runs in London (Supabase, eu-west-2). Data is held in the UK and is never moved outside the UK and EU without the right legal safeguards in place.
Built for UK GDPR from the start
You can export your data or have it erased on request. Access to personal data is logged, retention is enforced, and every admin action leaves an audit trail.
We never see your card
Payments run through Stripe. Card details go straight to Stripe and are handled under their PCI-compliant systems. Odel never stores or even touches your card number.
Watched, not left to chance
Errors and performance are monitored continuously (Sentry, EU region), so problems are caught quickly. Security patches for known issues are applied on a fixed schedule.
Reporting a problem
Found something? Tell us.
If you think you have found a security issue, we want to hear about it. Email us directly and we will look into it. Please give us a reasonable chance to fix the problem before you make it public.
What to include
- Where you found it, with the steps to reproduce it.
- What you think the impact is.
- A way for us to reach you for follow-up.
Our disclosure contact and details are published at /.well-known/security.txt.