Overview
OMB Cloud has been operating since 2012 and runs B2B customer data across México, España, the United States and Canada. Security and reliability are not features we layered on — they are constraints that shape every architectural decision. This page describes, in concrete terms, how we protect customer data.
Data encryption
All traffic to omb.cloud is served over TLS 1.3. HSTS is enabled with a one-year max-age and the preload directive. At rest, sensitive credentials (API keys, OAuth refresh tokens, payment-processor secrets) are encrypted with AES-256 before being written to the database. Database backups are stored encrypted.
Authentication and access control
Authentication uses bcrypt password hashing with rotating "remember-me" tokens (split selector/validator, constant-time compare). Sessions are scoped to the omb.cloud domain, marked Secure, HttpOnly and SameSite=Lax. We enforce role-based access control (RBAC) layered with a granular permissions matrix, so admins can fine-tune what each role can see and do.
Multi-tenant isolation
OMB Cloud is multi-tenant by design. Every domain table carries a tenant_id and every read/write is scoped by the active tenant. Super-admin impersonation is auditable: real_tenant_id is preserved alongside active_tenant_id for every action taken while impersonating.
Data residency and retention
Customer data is stored in our primary data centers. We retain operational data for the lifetime of the account and 30 additional days post-cancellation (the soft-delete TTL), after which it is permanently purged. Customers may request earlier deletion in writing.
Backup and disaster recovery
Daily database snapshots are retained with point-in-time recovery. Critical configuration is version-controlled. Our incident-response runbook commits to a 24-hour notification window for any breach affecting customer data.
Compliance
OMB Cloud is engineered to support GDPR (EU), LGPD (Brazil), CFDI 4.0 (México) and Facturae (España). SOC 2 Type II is in progress. We do not sell customer data, ever.
Reporting a vulnerability
Security researchers can report findings to security@omb.cloud. We acknowledge within 48 hours and credit researchers on resolution unless they prefer anonymity.