Third-party Services

Ouva relies on a handful of well-established third-party providers, each bringing its own security posture and published assurances. Across the board, each vendor supports TLS in transit, encryption at rest where applicable, and maintains a vulnerability-disclosure or bug-bounty program so security issues can be reported and resolved transparently.

Netlify

Netlify hosts the front-end and offers the same deployment platform used by organizations such as GitHub, Twilio, and Nike. Its public security center outlines the company’s SOC 2 reporting, incident-response process, and data-protection controls at netlify.com/security.

Supabase

Application data lives in Supabase, an open-source Postgres layer that now backs more than 180 000 projects. Supabase documents its encryption standards, role-based-access controls, and vulnerability-disclosure route at supabase.com/security, giving clear guidance on how tenant isolation and key management are handled.

Grafana

Operational metrics and logs are streamed to Grafana Cloud, a managed version of the open-source observability stack that is common across many Fortune 500 environments. Grafana publishes details of its SOC 2, ISO 27001, and intrusion-detection practices in the “Security” section of its documentation, providing transparency on how customer telemetry is stored and processed.

Plausible

For privacy-respecting product analytics, the system uses Plausible. This lightweight, GDPR-oriented tool—currently installed on more than 13 000 sites—eschews cookies and personal identifiers, and its privacy approach is fully documented at plausible.io/privacy.