OquiliaOquilia

Legal

Security Policy

Last updated: 5 April 2026

1. Our Commitment to Security

Oquilia is an informational and educational platform. We take the security of the data you provide seriously. We design our systems with the principle of minimal data collection — we ask for only what is necessary and store as little as possible. This page describes the technical and organisational measures we have in place to protect the Platform and its users.

2. Transport Security (HTTPS)

All communication between your browser and Oquilia's servers is encrypted using Transport Layer Security (TLS 1.2 or higher). HTTPS is enforced across the entire Platform. HTTP requests are automatically redirected to HTTPS. We use HTTP Strict Transport Security (HSTS) headers to instruct browsers to always connect to Oquilia over an encrypted connection.

Our TLS certificates are managed and automatically renewed through our hosting provider (Vercel), which uses industry-standard certificate authorities. Certificate expiry is monitored continuously to prevent any lapse in encryption coverage.

3. Data Encryption at Rest

Any user data stored by Oquilia — such as account credentials for signed-in users or saved calculation preferences — is stored in Supabase, our managed database and authentication provider. Supabase encrypts all data at rest using AES-256 encryption and manages its infrastructure on SOC 2 Type II certified cloud infrastructure. Supabase's security posture is documented at supabase.com/security.

4. What We Do Not Store

Oquilia is not a financial services platform and does not act as an intermediary for any financial transaction. Accordingly:

  • We do not store bank account numbers, debit or credit card numbers, UPI IDs, IFSC codes, or any payment credentials.
  • We do not store passwords for your bank, brokerage, insurance, or any other financial account.
  • We do not access or link to your financial accounts in any way.
  • Calculator inputs you enter (income, loan amount, investment figures) are processed locally in your browser and are not transmitted to or stored on our servers, unless you are a signed-in user who explicitly saves a calculation.
  • We do not store Aadhaar numbers, PAN card numbers, passport details, or other government-issued identity document numbers.

5. Authentication Security

If you create an account on Oquilia, your password is never stored in plain text. We use Supabase Auth, which implements bcrypt password hashing with a high work factor. We support email-based magic link sign-in as an alternative to passwords. Session tokens are short-lived, cryptographically signed, and stored securely. We do not share authentication tokens or session identifiers with any third-party service.

6. Responsible Disclosure

We welcome and appreciate security researchers who identify and responsibly disclose vulnerabilities in the Oquilia Platform. If you believe you have discovered a security issue, please report it to us before making it public. We are committed to investigating every report and responding promptly.

To report a security vulnerability, email us at security@oquilia.com. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions or a proof-of-concept sufficient to reproduce the issue.
  • The URL or component of the Platform where the issue was found.
  • Your contact details so we can follow up with you.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and resolve it (typically within 30 days). We will acknowledge your report within 5 business days and provide updates on our progress.

7. Bug Bounty

Oquilia does not currently operate a formal paid bug bounty programme. However, we recognise and appreciate researchers who identify valid vulnerabilities through responsible disclosure. For critical findings that lead to a confirmed fix, we will acknowledge contributors in our release notes (with their permission). We hope to launch a formal programme as the Platform grows. Watch this page for updates.

8. Scope of Responsible Disclosure

The following are in scope for responsible disclosure:

  • oquilia.com and all subdomains
  • Our public-facing API endpoints
  • Authentication and session management vulnerabilities
  • Data exposure or access control issues
  • Cross-site scripting (XSS), SQL injection, and injection flaws

Please do not conduct destructive testing (attempting to delete or corrupt data), perform denial-of-service attacks, or access other users' data beyond demonstrating a vulnerability with your own test account.

9. Contact

For security concerns, please contact security@oquilia.com. For general privacy questions, please contact privacy@oquilia.com.