Security

Ongoing is a small team operating production infrastructure for paying customers. We take security seriously and we’re direct about where we are: strong foundations in place, a short and clear roadmap of what’s coming next, and no claims to maturity we don’t yet have.

Most of what the substrate stores is public ecommerce data. The information that needs the most protection is your account, your billing data, and the configuration you keep inside your organization.

The application runs on managed platforms with hardened baselines:

• Application — Laravel Cloud (web, queues, scheduler, workers).
• Marketing site — Vercel.
• Database — DigitalOcean Managed Postgres with daily backups and point-in-time recovery.
• Object storage — DigitalOcean Spaces for raw collection artifacts and other operational outputs.
• Sibling services — isolated microservices for collection, detection, and enrichment; cross-service auth is by shared secrets, never anonymous.

• In transit. TLS 1.2+ on every public surface (marketing site, dashboard, API, MCP server).
• At rest. Disk-level encryption on the managed database and on object storage, provided by the platforms.
• Secrets. Application secrets, API keys, and cross-service tokens live in the platforms’ secret stores, never in source.
• Payments. Card data is handled by Stripe. Ongoing never sees or stores your full card number.
• Passwords. Hashed with a modern adaptive algorithm, never stored in plain text.

• Least privilege. Only the team members who need production access have it, and only to the surfaces they need.
• SSO + 2FA on the platforms that host production (cloud providers, payment processor, source control).
• Organization scoping. Ongoing accounts authenticate users; organizations subscribe and own access; memberships authorize what each user can see and do.
• API keys are scoped to an organization and can be revoked individually.

We log application requests, queue activity, job failures, and authentication events. Error tracking and uptime monitoring run continuously; on-call notifications fire on production regressions. Logs and telemetry are retained on a rolling window measured in months — long enough to investigate incidents, short enough to keep blast radius small.

The vendors below are part of how we deliver the Service. Where applicable, they process data under their respective data-processing terms, security terms, or service agreements, and they’re selected for the maturity of their security posture.

• Stripe — payments and subscriptions.
• Vercel — marketing-site hosting and edge delivery.
• Laravel Cloud — application hosting, queues, scheduler.
• DigitalOcean — managed Postgres, object storage, compute.
• Google Analytics — aggregate traffic measurement on the marketing site.
• Anthropic, OpenAI — model providers used to enrich and classify substrate inputs.

We are not currently SOC 2, ISO 27001, or HIPAA certified. We’re a small team and we believe in being direct about that rather than implying certifications we don’t hold. As the company grows and customers ask for formal attestations, we’ll pursue them; until then, the practices on this page are how we operate.

For data-protection roles and choices, see our Privacy Policy.

If you believe you’ve found a security vulnerability in Ongoing, please email security@ongoing.ai with a description and reproduction steps. We’ll acknowledge within two business days.

We ask that you:

• Give us a reasonable window to triage and fix before public disclosure.
• Avoid accessing data that isn’t yours, modifying production data, or running denial-of-service tests.
• Don’t use the vulnerability for anything other than verifying it.

We don’t currently run a paid bounty program, but we credit researchers who report responsibly and we appreciate good-faith work.

Security questions: security@ongoing.ai. Everything else: legal@ongoing.ai or the contact page.