OpenFence handles location data that turns into billing and legal evidence. Tenant isolation, signed and encrypted secrets, and an explainable audit trail aren't bolted on — they're how the platform is built. Below is exactly how, with the mechanisms you can check for yourself.
Every claim below maps to a mechanism in the platform, not a policy statement. Where you can check it yourself, we link to how.
PostgreSQL Row-Level Security (RLS) is applied at the session level on every tenant-scoped table — geofences, devices, events, rules, webhook subscriptions, dead-letters. A query can only ever see its own tenant's rows. Isolation is enforced by the database, not just by application code.
Every delivery is signed with HMAC-SHA256 over the timestamp and the raw request body
(X-OpenFence-Signature).
Receivers verify byte-for-byte and reject anything outside a ±5-minute freshness window —
replayed or tampered deliveries fail the check.
Per-tenant webhook signing secrets are encrypted at rest with AES-256-GCM — authenticated encryption with a fresh random nonce per write. The plaintext secret is never stored in the database.
API keys and admin credentials are stored only as salted bcrypt hashes — the raw key is shown to you exactly once and never persisted. A leaked database row yields no usable key.
A transactional outbox enqueues every detected event durably; failed webhooks retry with backoff and land in a dead-letter store rather than vanishing. Every attempt is logged and inspectable — nothing is silently dropped.
Every rule match and skip carries reason codes and a full evaluation trace. You — and our support team — can always answer "why did this fire, or why didn't it?" without guessing. Auditability is a first-class product surface.
All API requests and webhook deliveries travel over TLS / HTTPS. Your devices and your receiver never talk to OpenFence in the clear.
Tenant data is protected by automated database backups with off-site retention, so it survives an infrastructure failure — not just day-to-day operation.
OpenFence ships a generator-backed test-vectors fixture with every release. Pin your receiver against the same JSON we sign against — if our signing helper ever drifts, your tests break loud. The security claims above are the ones you can hold us to byte-for-byte.
Found a vulnerability? We want to hear about it. Email hello@openfence.ai with the details and steps to reproduce. We read every report, will work with you on a fix and a coordinated disclosure timeline, and we won't pursue action against good-faith research that respects our users' data and avoids privacy violations or service disruption.
OpenFence is operated by WDA Systems. Here's exactly what governs your data — and how to get whatever your procurement process needs.
Spin up a tenant, define a geofence, and receive your first signed webhook in minutes — on the same isolated, explainable, verifiable contract described above.