Security

Security is a foundational principle at Omnithium — not an afterthought. We apply defense-in-depth across our infrastructure, application layer, and organizational processes. This page describes our security posture and how to report vulnerabilities.

Compliance and Certifications

• SOC 2 Type II: Annual audit covering security, availability, and confidentiality trust service criteria
• ISO 27001: Information security management system certification
• GDPR: Full compliance for EU/EEA data subjects including DPA availability
• HIPAA: Business Associate Agreements available for eligible customers on Enterprise plans
• CSA STAR Level 2: Cloud Security Alliance attestation

Current compliance reports are available to Enterprise customers under NDA. Contact security@omnithium.ai to request a copy.

Infrastructure Security

Cloud Infrastructure

• Hosted on AWS in US-East-1 and EU-West-1 with cross-region replication for enterprise tenants
• All environments (dev, staging, production) are fully isolated with separate AWS accounts
• Network segmentation via VPCs, private subnets, and security groups following least-privilege principles
• All compute runs in isolated containers with no persistent state; ephemeral runtime environments
• DDoS protection via AWS Shield Advanced and Cloudflare WAF

Encryption

• In transit: TLS 1.3 enforced on all endpoints; older protocols rejected
• At rest: AES-256 encryption for all data stores, with separate encryption keys per tenant for Enterprise
• Key management: AWS KMS with automatic rotation; Vault for application-layer secrets
• Database encryption: Transparent data encryption on all RDS instances

Access Controls

• Zero-trust network architecture — no implicit trust, all access verified
• Multi-factor authentication required for all Omnithium employees accessing production systems
• Role-based access control (RBAC) with principle of least privilege enforced across all systems
• Privileged access management (PAM) with session recording for sensitive operations
• Quarterly access reviews for all production systems

Application Security

• Secure SDLC: Security requirements integrated from design through deployment
• Code review: All code changes require peer review and automated security scanning (SAST, SCA)
• Dependency scanning: Automated vulnerability scanning of third-party dependencies on every build
• Container scanning: All container images scanned before deployment
• Secrets scanning: Pre-commit hooks and CI/CD pipeline checks for accidental credential exposure
• API security: Rate limiting, authentication on all endpoints, input validation, and output sanitization

Data Isolation

Omnithium uses logical data isolation by default — your data is tagged with your tenant ID and access controls prevent cross-tenant access at the application and database layers. Enterprise customers can opt for physical data isolation with dedicated database clusters and compute environments.

AI model inputs and outputs are never shared across tenants and are not used to train foundation models without explicit opt-in consent.

Monitoring and Incident Response

• 24/7 security monitoring via SIEM with automated alerting for anomalous events
• Full audit logging of all administrative actions, API calls, and authentication events
• Logs retained for 12 months with immutable storage to prevent tampering
• Incident response plan tested quarterly via tabletop exercises
• Security incidents affecting customer data notified within 72 hours per GDPR requirements

Penetration Testing

We conduct annual third-party penetration tests of our production environment covering network, application, and AI-specific attack vectors. We also maintain a continuous bug bounty program for ongoing security research. Enterprise customers may request a copy of the most recent penetration test executive summary.

Employee Security

• Background checks for all employees with access to production systems
• Security awareness training completed at onboarding and annually
• Device management (MDM) enforced on all employee devices
• Endpoint detection and response (EDR) on all corporate endpoints
• Confidentiality and data handling agreements signed by all personnel

Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in Omnithium's systems, please report it to security@omnithium.ai. Include a clear description of the vulnerability, steps to reproduce, and potential impact. We commit to:

• Acknowledging receipt within 24 hours
• Providing a status update within 5 business days
• Working with you to understand and remediate the issue before public disclosure
• Recognizing researchers in our Hall of Fame for valid, responsibly disclosed findings

Please do not access or modify user data, disrupt our services, or perform social engineering as part of your research. We follow a coordinated disclosure policy with a standard 90-day disclosure window.

Business Continuity

• Recovery Time Objective (RTO): 4 hours for critical systems
• Recovery Point Objective (RPO): 1 hour for transactional data
• Daily automated backups with point-in-time recovery for 30 days
• Business continuity plan reviewed and tested annually
• 99.9% uptime SLA for Growth and Enterprise plans (see status.omnithium.ai)

Contact

Security questions, incident reports, or compliance inquiries: security@omnithium.ai