Security at OnboardingGenie
What this page covers, plainly.
OnboardingGenie is built for small and medium businesses. Our security posture is pragmatic, not enterprise-grade. This page describes what we actually do, what we inherit from Google Cloud, and what we don't yet have — so you can decide whether OnboardingGenie is the right fit for your situation.
Infrastructure
OnboardingGenie runs on Google Cloud Platform via Firebase. The application, database, authentication, and file storage all live in Google Cloud's nam5 multi-region — a North American multi-region with automatic replication across data centers in Iowa and South Carolina.
Google Cloud Platform holds SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, HIPAA (with BAA available to qualifying customers), PCI DSS, and FedRAMP certifications. OnboardingGenie does not independently hold any of these certifications. We rely on the underlying infrastructure for security and compliance posture; we do not represent that OnboardingGenie itself is certified.
Encryption
In transit: All connections to OnboardingGenie use HTTPS with TLS 1.2 or TLS 1.3, enforced by Firebase Hosting. Plain HTTP requests are redirected to HTTPS automatically.
At rest: All customer data — including form submissions, uploaded files, signature images, and generated PDFs — is encrypted at rest using AES-256, the default Firestore and Cloud Storage encryption standard.
Authentication and access control
OnboardingGenie uses Firebase Authentication for all admin sign-in. Two sign-in methods are supported:
- Email and password — passwords are hashed and never stored in plaintext.
- Google OAuth — for users who prefer to sign in with their Google account, which inherits Google's two-factor authentication if the user has it enabled.
Recipients of onboardings — the people you send invitations to — do not need an account. They access onboardings through one-time magic links sent via email. Magic links expire and can be regenerated by an admin if needed.
Within the application, every Firestore document is partitioned by organization ID. Multi-tenant separation is enforced by Firestore Security Rules at the database level — not just at the application layer — so cross-organization data access is structurally prevented even in the case of an application-layer bug.
Audit trail
Every meaningful action in OnboardingGenie is logged to an immutable activity log: every onboarding sent, every step completed, every template edit, every team member added or removed. Logs include the action, the actor (admin or recipient), and the timestamp.
Backups and recovery
Firestore Point-in-Time Recovery is enabled for the OnboardingGenie database, allowing restoration to any moment within the past seven days. In the event of accidental deletion, corruption, or other data loss, we can restore the database to its state at any second within that recovery window.
We do not publish a formal Recovery Time Objective (RTO) or Recovery Point Objective (RPO) commitment. For SMB use cases, our practical recovery is typically measured in hours, not days.
Who else has access to your data
OnboardingGenie uses the following third-party services. Each has its own security and privacy posture, which we encourage you to review:
- Google Cloud / Firebase — application hosting, database, authentication, file storage, and AI document processing (Vertex AI Gemini)
- Stripe — payment processing for paid subscriptions; Stripe is PCI DSS Level 1 certified
- Resend — transactional email delivery (welcome emails, magic links, lifecycle notifications)
We do not sell, rent, or share customer data with third parties for marketing or advertising purposes.
What we don't have
In the spirit of honest disclosure:
- No independent compliance certifications. We do not hold SOC 2, ISO 27001, HIPAA Business Associate Agreement, or other formal certifications. If your procurement process requires these, OnboardingGenie may not be the right fit today.
- No formal pen-testing engagements or bug bounty program. We rely on Google Cloud Platform's security posture and our own application-layer practices.
- No published Service Level Agreement (SLA). We aim for high availability, but we don't currently publish uptime guarantees or service credits.
- No 24/7 security operations center. Security incidents are handled by the founder during business hours, with monitoring alerts for after-hours emergencies.
These are deliberate choices appropriate to OnboardingGenie's stage and audience. As we grow, some of these may change.
Reporting a security issue
If you discover a security vulnerability or suspected data exposure in OnboardingGenie, please email security@onboardinggenie.com.
Please do not publicly disclose the issue until we've had a reasonable opportunity to investigate and respond. We will acknowledge your report within 2 business days.