OpenFence
Security & trust

Built to be verified, not trusted on faith.

OpenFence handles location data that turns into billing and legal evidence. Tenant isolation, signed and encrypted secrets, and an explainable audit trail aren't bolted on — they're how the platform is built. Below is exactly how, with the mechanisms you can check for yourself.

How OpenFence protects your data

Every claim below maps to a mechanism in the platform, not a policy statement. Where you can check it yourself, we link to how.

Tenant isolation, enforced by the database

PostgreSQL Row-Level Security (RLS) is applied at the session level on every tenant-scoped table — geofences, devices, events, rules, webhook subscriptions, dead-letters. A query can only ever see its own tenant's rows. Isolation is enforced by the database, not just by application code.

Signed webhooks with replay defense

Every delivery is signed with HMAC-SHA256 over the timestamp and the raw request body (X-OpenFence-Signature). Receivers verify byte-for-byte and reject anything outside a ±5-minute freshness window — replayed or tampered deliveries fail the check.

See the verification algorithm →

Signing secrets encrypted at rest

Per-tenant webhook signing secrets are encrypted at rest with AES-256-GCM — authenticated encryption with a fresh random nonce per write. The plaintext secret is never stored in the database.

Credentials are hashed, never plaintext

API keys and admin credentials are stored only as salted bcrypt hashes — the raw key is shown to you exactly once and never persisted. A leaked database row yields no usable key.

Durable, inspectable delivery

A transactional outbox enqueues every detected event durably; failed webhooks retry with backoff and land in a dead-letter store rather than vanishing. Every attempt is logged and inspectable — nothing is silently dropped.

Explainable end-to-end

Every rule match and skip carries reason codes and a full evaluation trace. You — and our support team — can always answer "why did this fire, or why didn't it?" without guessing. Auditability is a first-class product surface.

Encrypted in transit

All API requests and webhook deliveries travel over TLS / HTTPS. Your devices and your receiver never talk to OpenFence in the clear.

Backed up off-site

Tenant data is protected by automated database backups with off-site retention, so it survives an infrastructure failure — not just day-to-day operation.

Don't take our word for any of it

OpenFence ships a generator-backed test-vectors fixture with every release. Pin your receiver against the same JSON we sign against — if our signing helper ever drifts, your tests break loud. The security claims above are the ones you can hold us to byte-for-byte.

Responsible disclosure

Found a vulnerability? We want to hear about it. Email hello@openfence.ai with the details and steps to reproduce. We read every report, will work with you on a fix and a coordinated disclosure timeline, and we won't pursue action against good-faith research that respects our users' data and avoids privacy violations or service disruption.

Data handling & compliance

OpenFence is operated by WDA Systems. Here's exactly what governs your data — and how to get whatever your procurement process needs.

Where your data lives
Tenant data — geofences, devices, events — is stored and primarily processed in the United States (Hetzner). Content delivery and DDoS protection run on Cloudflare's global edge, and encrypted backups are held off-site with Cloudflare R2. Encrypted in transit over TLS; webhook signing secrets encrypted at rest with AES-256-GCM; API keys stored only as salted bcrypt hashes, never in plaintext.
Subprocessors
Hetzner (hosting & database), Cloudflare (network, edge delivery, off-site backups), Stripe (billing), Resend (transactional email), and Anthropic (only when you use AI diagnostics — the webhook facts being explained). We don't sell or share tenant data beyond these. List current as of June 2026.
Retention & deletion
Automated, encrypted off-site backups. After cancellation we retain your data for a limited reactivation window (up to 90 days), after which the tenant and its data are permanently deleted from our active systems; backups then age out on their own schedule. Need earlier deletion? Just ask.
DPAs & security reviews
Need a data-processing agreement, a security questionnaire, or a deeper look at our practices? Contact us and we'll work through your requirements directly.

Build on a platform you can audit.

Spin up a tenant, define a geofence, and receive your first signed webhook in minutes — on the same isolated, explainable, verifiable contract described above.