opsmera
Sign inFree portfolio audit

Security Overview

Last updated June 2026

Opsmera holds sensitive information for strata and property operators - building records, lot owner and tenant contact details, committee decisions, and communications. We treat protecting it as core to the product. This page summarises how we do that. It is written to answer the questions a customer’s security review usually asks.

Australian data residency

Customer data is stored in Australia, in the AWS Asia Pacific (Sydney) region, via our database provider Supabase. Your portfolio data does not leave the country to be stored.

Encryption

  • In transit: all traffic is served over HTTPS/TLS.
  • At rest: databases and backups are encrypted using AES-256 by default.
  • Sensitive integration credentials and communications content are encrypted at the application layer.

Access control

  • Multi-tenant isolation: every record is scoped to its organisation with row-level security, so one customer can never see another's data.
  • Role-based access for the eight stakeholder roles, so people see only what their role allows.
  • Least-privilege access for our own team, with multi-factor authentication on administrative systems.

Authentication

User accounts are protected with modern authentication, strong password policies and leaked-password protection. Multi-factor authentication is available.

Backups and resilience

The database is backed up automatically, with point-in-time recovery available on production plans. Hosting runs on managed cloud infrastructure with high-availability characteristics.

Monitoring and audit trail

Sensitive actions are recorded in an immutable audit log - who did what, and when - which supports both compliance evidence and security investigations.

Communications and call recording

Where the email and call-handling features are used, content is encrypted, access-controlled and retained per policy. Call recording is handled in line with Australian state listening-devices and surveillance laws, with consent capture supported in the workflow.

Our infrastructure providers

We build on providers that maintain independent security certifications. Supabase (database, auth, on AWS) and Vercel (application hosting) each maintain SOC 2 Type 2 programs, and AWS underpins our Sydney data residency. We inherit the infrastructure controls these certifications cover.

Our compliance posture

Opsmera aligns its handling of personal information with the Australian Privacy Act and the Australian Privacy Principles. We are building to a SOC 2 / ISO 27001 readiness standard and will pursue formal certification as the business scales and customer requirements call for it. We are happy to complete vendor security questionnaires and to provide a Data Processing Addendum on request.

Responsible disclosure

If you believe you have found a security issue, please email hello@opsmera.com. We appreciate responsible disclosure and will respond promptly.