Mar 23, 2024

Application security

The Ottomatic engineering team strives to write secure code that aligns with industry best practice. We do peer reviews to ensure code quality and perform static code analysis to detect vulnerabilities that may exist in our dependencies.


Ottomatic user accounts have several options for authentication including; passwordless which is accessed via email, SAML or single sign-on with Google oAuth, and username/password access with strict password requirements.

Secure Access

Ottomatic requires HTTPS for access to our application, payment and invoice portals, support ticket portal, as well as APIs.


Ottomatic utilizes rotating key or OAUTH2 protocol to enforce secure access to our APIs.

Best practice security


Ottomatic is currently in the process of completing SOC 2 TYPE II certification. As of the writing of this document we have completed more than half the requirements of SOC 2. This certification provides assurance that we are operating at a level that is in compliance or better than the standards outlined by the American Institute of Certified Public Accountants (AICPA).


We process all payments through PCI compliant payment gateway partners such as Stripe. Ottomatic does not store credit card details or card holder information.


Ottomatic operates servers and infrastructure hosted on multiple cloud platforms including hyperscalers and smaller hyperscalers who are members of the Cloud 2.0 initiative.

Penetration Testing

We partner with a third party to scan all of our servers and infrastructure assets to search for common vulnerabilities as well as potential zero-day vulnerabilities. Remediation of critical findings is done in a timely manner.

Incident management

Ottomatic operates several systems to monitor the health of our service and detect incidents. If a security incident occurs, Ottomatic will notify all affected customers with undue delay.

Responsible disclosure

Please report any vulnerabilities to We will immediately assign a ticket id number for each report and a member of our engineering team will reply back within 1 business day.