Trust & security
Overt is in early access. This page describes the controls that are actually in place today and is being finalised with counsel ahead of general availability — items in brackets are pending. We don't claim certifications we don't hold.
Our product reads what companies publish to the internet and shows the evidence behind every finding. We hold our own platform to the same standard: here is exactly how it's secured, where your data lives, and who touches it.
How the platform is secured
| Area | What's in place |
|---|---|
| Authentication | Descope-issued RS256 session JWTs, verified on every request against the published JWKS at the edge. Magic-link and SSO; no passwords stored by us. |
| Authorization & isolation | Role-based access control (4 roles, 10 permissions). The tenant is taken from the verified token, never from request input, so one workspace can never read another. All database access is parameterised. |
| Encryption in transit | TLS everywhere, HSTS with preload + includeSubDomains. HTTP is upgraded to HTTPS. |
| Browser hardening | Content-Security-Policy (host-allow-listed scripts), X-Frame-Options DENY + frame-ancestors 'none' (no clickjacking), Cross-Origin-Opener-Policy, nosniff, and a restrictive Permissions-Policy. |
| Abuse & rate limiting | Per-tenant and per-IP rate limits on cost-bearing endpoints; Cloudflare Turnstile on public forms; monthly usage quotas. |
| Billing integrity | Stripe webhooks are HMAC-verified over the raw body with a replay window before anything is written; the client can never grant itself a paid module. |
| Secrets | Management keys and API tokens are edge secrets, never shipped to the browser and never committed to source control. |
| Auditability | Tenant-scoped, append-only audit log of administrative and billing actions, readable by workspace admins. |
Where your data lives
Your workspace data and the market corpus are stored on Cloudflare in the EU. Authentication is currently handled by Descope in the United States under the EU Standard Contractual Clauses. [EU data residency for authentication is available on a higher plan and can be enabled for EU customers under contract.] The detection engine reads publicly observable company infrastructure (DNS, response headers, certificate-transparency logs, public routing data, registries) — not the personal data of individuals; active probing is opt-in and limited to targets you're authorised to assess.
Your data rights
Workspace owners can export their entire workspace (members, scans, pipeline, lists, usage, audit trail) as JSON, and permanently erase the workspace and all its data — both self-serve, in-product, satisfying GDPR Articles 20 and 17. Contact-enrichment and buying-team data are purged on a rolling retention window. Full detail in our privacy policy.
Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare | Hosting, database (D1), edge compute & analytics | EU |
| Descope | Authentication & identity | US (EU residency available on a higher plan) |
| Stripe | Subscription billing & payments | US/EU |
| Apollo, Lusha | Business-contact & firmographic enrichment you invoke | US/EU |
| Google Workspace | Delivery of contact-form submissions to our team | EU |
A Data Processing Agreement and the current sub-processor list are available to customers under contract. [DPA + final sub-processor list provided at signature.]
Compliance status
We run internal security reviews and adversarial audits, and maintain the controls above. Overt is not yet SOC 2 certified — a formal programme is on the roadmap as we move from early access to general availability. We'd rather tell you exactly where we are than imply a badge we haven't earned. For diligence questionnaires or a security review, reach out and we'll work through them with you.
Responsible disclosure
Found a vulnerability? Report it privately to security@icwt.cloud (see our security.txt). We welcome good-faith research and won't pursue legal action for testing that respects the policy — no data exfiltration, no service degradation, no accessing other tenants' data beyond a minimal proof of concept. We aim to acknowledge reports within a few business days.
Questions
Security, privacy, or procurement questions: security@icwt.cloud. [Operating entity & registered address to be confirmed before public launch.]