BondGovernance — Infrastructure for Secured Bonds

§ Trust · Security & Penetration Testing

Security

Technical and organisational measures, penetration-test programme, coordinated vulnerability disclosure and incident-response commitments for the BondGovernance governance-infrastructure service.

§ 01

Purpose of this page

This page is maintained by OmhuAI AB to summarise the security posture of the BondGovernance governance-infrastructure service for professional counterparties, prospective customers and security researchers.

This page describes app-visible controls and provider-attested platform capabilities. It is not a certification and is not an independent assurance report.

§ 02

Architecture and trust boundaries

  • Frontend: TanStack Start on Cloudflare Workers (EU edge), TLS 1.2+ enforced.
  • Backend: Supabase Postgres + Auth + Storage, hosted in the EU (Frankfurt).
  • Deterministic compute: pure functions in TypeScript, no model-derived business decisions persisted without provenance.
  • Document extraction: Lovable AI Gateway → Gemini, EU region, no training on customer data.
  • Segregated production and preview environments.
§ 03

Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 managed by provider).
  • Row-Level Security on all tenant-scoped tables.
  • Least-privilege service-role access; service-role key never exposed to the client bundle.
  • Authentication via Supabase Auth; MFA available; SAML SSO available on request.
  • Append-only audit log for authentication events, role changes and privileged actions.
  • Daily encrypted backups; documented restore procedure; point-in-time recovery.
  • Dependency vulnerability scanning on every release.
  • Security review checklist on each pull request touching auth or data access.
§ 04

Penetration testing

BondGovernance commissions independent penetration tests of the public web application and backend API on a recurring basis. The programme covers the OWASP ASVS L2 control set, authentication and session management, tenant isolation, server-function authorisation, and common web application weaknesses (OWASP Top 10).

ScopeMethodologyCadenceLast testStatus
Web application (authenticated)OWASP ASVS L2, grey-boxAnnualScheduled Q4 2026Pending — first test
Backend API / server functionsOWASP API Security Top 10, grey-boxAnnualScheduled Q4 2026Pending — first test
Tenant-isolation review (RLS)Targeted assessment + automated probesPer major releaseContinuous (CI)Active

A redacted summary letter of the most recent independent test is available to qualifying counterparties under NDA on request to security@bondgovernance.com.

§ 05

Coordinated vulnerability disclosure

We welcome reports from independent security researchers. Please disclose suspected vulnerabilities to security@bondgovernance.com with sufficient detail to reproduce.

  • We acknowledge receipt within 2 business days.
  • We provide a triage outcome within 10 business days.
  • We aim to remediate critical issues within 30 days.
  • We will credit researchers on request once a fix is deployed.

Please do not access data that is not your own, do not run denial-of-service tests, and do not test third-party providers in our supply chain.

§ 06

Incident response

We operate a documented incident-response plan with a named owner. Confirmed personal-data breaches are notified to affected controllers without undue delay and within 72 hours, in line with the obligations set out in our Data Processing Agreement.

§ 07

Contact

Security: security@bondgovernance.com. Data protection: dpo@bondgovernance.com.