Security & Data Handling Page
Last updated: 2 June 2026
1. Overview
OMVA uses technical and organisational safeguards to protect user, customer, payout, support, careers, and platform data.
2. Security practices
OMVA may use:
- secure hosting and infrastructure providers
- encrypted HTTPS connections
- Supabase authentication and database controls
- role-based access controls
- Row Level Security where implemented
- admin permission checks
- audit logs
- security headers
- cron secrets and server-only functions
- error redaction for sensitive fields
- no-store headers for private routes
- moderation and compliance workflows
3. Access controls
Access to customer, payout, admin, support, and careers data should be limited to authorised staff or service providers with a legitimate need.
Admin access, impersonation/mirror sessions, finance actions, moderation, payout actions, and customer support actions should be logged and role-limited.
4. Sensitive data
Payout/banking data, tenant-provided API keys, customer data, and resumes/CVs are sensitive and should be handled with strong access controls. Secrets should not be exposed in client bundles.
5. Upload security
File uploads should have appropriate file type limits, file size limits, scanning, private storage, and signed access controls where possible.
6. Incidents
If OMVA becomes aware of a security incident affecting personal information, OMVA will assess the incident and notify affected people or regulators where required by law.
7. User responsibilities
Users must use strong passwords, protect account access, avoid sharing credentials, and report suspected compromise to support@omva.co.nz.