Data encryption

All communications between your browser, OpenDM intake surfaces, and our backend are encrypted with TLS 1.2 or higher. Data stored in our Convex database is encrypted at rest using AES-256. Encryption keys are managed by our infrastructure provider and rotated regularly.

Infrastructure & hosting

OpenDM runs on Convex — a managed, real-time database platform with automatic backups, geographic redundancy, and SOC 2-aligned security practices. We do not manage our own servers, which eliminates an entire category of infrastructure vulnerability.

Authentication

User authentication is handled by Better Auth. Passwords are hashed with bcrypt and never stored in plaintext. We support email/password authentication with email verification required. Session tokens are rotated on login and invalidated on logout.

Access controls

• Workspace-level isolation — no cross-workspace data access
• Role-based permissions: Owner, Admin, Member per workspace
• Agency plan isolation — each client workspace is fully isolated from others
• Internal API functions are not publicly exposed
• All Convex mutations require authentication and authorization checks

Payment security

We never store payment card information. Subscription billing is handled by Lemon Squeezy (PCI-DSS compliant). Paid DM payments are processed via Stripe Connect (PCI Level 1). OpenDM never touches raw card data.

Vulnerability disclosure

If you discover a security vulnerability in OpenDM, please report it responsibly to security@opendm.io. Include a description of the vulnerability, steps to reproduce, and potential impact. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not pursue legal action against good-faith security researchers.

Contact

Security questions or disclosures: security@opendm.io