Your employee data deserves
more than good intentions.
OfficeBlink was designed with security as a first-class requirement — not retrofitted. PASETO tokens, full audit logs, RBAC, and SOC 2 compliance are built into the core.
SOC 2 Type II
In Progress
GDPR Ready
Multi-jurisdiction Compliant
Every layer of the stack secured by design.
Authentication & Sessions
PASETO Ed25519 asymmetric tokens. Short-lived sessions with instant revocation.
Role-Based Access Control
Granular permissions per resource. Strict deny-overrides always win.
Encryption
AES-256 at rest, TLS 1.3 in transit. No unencrypted PII stored anywhere.
Audit Logging
Every write operation logged with actor ID and before/after values. Immutable.
Rate Limiting
Redis-backed sliding-window protection per IP. Edge bot detection.
Data Isolation
Strict multi-tenant scoping on every query. Cross-tenant access is impossible.
Secrets Management
No secrets in source code. Environment-based config with key rotation.
Infrastructure
Containerised deployment. Private networking. Hardened Postgres 17.
PASETO. Not JWT.
Here's why it matters.
Platform-Agnostic Security Tokens (PASETO) use Ed25519 asymmetric cryptography. Unlike JWT, PASETO tokens are not algorithm-agnostic — there is no downgrade attack surface. All tokens are signed, not just encoded.
- Ed25519 asymmetric key pairs for signing
- Short-lived access tokens (default 24h)
- Server-side validated refresh tokens
- Instant and complete session revocation
- Lockout protection for failed attempts
- SSE stream auth via secure query-string token
Issue
Access + Refresh Tokens
Token revoked on logout — no waiting for expiry
GDPR Compliance
- Data minimisation principle applied
- Lawful basis for processing documented
- Data subject access request support
- Right to erasure process defined
- Data processing agreements available
- Breach notification process in place
GDPR-ready.
Privacy by design.
OfficeBlink was architected with a privacy-first mindset. From local data residency options to strict PII isolation, we ensure your employees' sensitive data is treated with the highest legal and technical care.
- PII stored only where operationally necessary
- Configurable data retention policies
- DSAR processing within 30 days
- Standard contractual clauses (SCC) available
- Custom DPA for enterprise customers
SOC 2 Type II — In Progress
OfficeBlink is on a roadmap toward SOC 2 Type II certification. Our controls are designed to meet the Trust Services Criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy.
99.9% uptime. Production-grade stack.
Database
PostgreSQL 17 with pgxpool. Row-level company isolation. Automated backups with point-in-time recovery (PITR).
Caching & Queuing
Redis 7 for sessions and rate limiting. Apache Kafka for async event streaming to prevent cascade failures.
Deployment
Dockerised. Horizontally scalable. Health checks and graceful shutdowns on every enterprise service.
API keys that behave like
enterprise credentials.
- Per-company API keys with configurable expiry
- IP allowlist enforcement per key
- Last-used timestamp tracking for auditing
- Rate limiting applied independently per key
- HMAC-signed webhook payloads
- Outbound retries with exponential backoff
14 minutes ago — (Nigeria, Lagos)
Responsible Disclosure
We take security reports seriously. If you discover a vulnerability in OfficeBlink, please share your findings with us. We commit to acknowledging reports within 48 hours and resolving critical issues within 14 days.
[email protected]Have specific security requirements? Let's talk.
Our security team is available for enterprise security reviews, penetration test documentation, and custom DPAs.