Security

Your firm's confidential materials, engagement data, and the work product we produce are handled by Onyx Labs. We treat security as a core requirement, not an afterthought. Onyx Labs is operated by Onyx Management, LLC.

1. Data encryption

In transit

All data transmitted between your browser and our services is encrypted using TLS 1.2 or higher. Communications are enforced over HTTPS with HSTS and security headers enabled. We do not support plaintext HTTP connections.

At rest

Sensitive credentials (integration API keys, OAuth tokens, connector secrets) are encrypted at the application level. Data stored in our managed Postgres benefits from infrastructure-level encryption provided by our database host.

2. Infrastructure

• Hosted on cloud providers that maintain SOC 2 Type II certified data centers
• Provider-managed network isolation and security groups
• Managed database backups via our cloud database host
• Application-level rate limiting to mitigate abuse
• Infrastructure-as-code with version-controlled deployments
• Environment separation via configuration management

3. Access controls

• Least privilege: employee access to production systems follows the principle of least privilege, with multi-factor authentication required.
• Role-based access: access to data is scoped to what each person is authorized to see.
• Change control: changes to production code are made via pull request with mandatory reviewer approval and automated CI checks. Direct commits to production branches are blocked.
• Audit logging: permission changes are recorded in an append-only audit log; data-access events are logged with actor, timestamp, and lineage.
• Session management: secure session handling with configurable timeout policies.

4. Data processing and AI

• Data isolation: each client's data is logically isolated and is never accessible to, or commingled with, another client's.
• No model training on client data: your data is not used to train shared AI models. Foundation models are applied to your data, not trained on it.
• AI processing disclosure: drafting, classification, and reasoning features transmit data to Anthropic's Claude API (and optionally OpenAI). Their commercial API terms prohibit using customer data for model training.
• Approval gates: outputs intended for external use surface for human review before they are sent or published, unless you configure otherwise.
• Retention controls: you retain ownership of your data, and it can be exported or securely deleted upon request.

5. Data retention and deletion

• Active retention: data is retained for the duration of the engagement or applicable agreement.
• Export: you may request an export of your data at any time.
• Deletion: you may request account and data deletion at any time; deletion is performed within 30 days of request unless a legal hold applies.
• Backups: managed database backups are retained per our database host's standard policy, subject to the same isolation and access controls as production data.

6. Application security

• Secure development lifecycle with code reviews required on all changes
• Input validation via schema enforcement and parameterized queries
• Automated dependency vulnerability scanning in CI
• Content Security Policy (CSP), HSTS, and other security headers on all responses
• Structured error handling that does not expose implementation details

7. Subprocessors

We use a small number of trusted infrastructure and AI providers. A current subprocessor list and copies of executed Data Processing Agreements are available on request, and we provide reasonable advance notice of material changes.

• Vercel:application hosting and edge network
• Supabase:managed Postgres, auth, and storage
• Stripe:billing and payment processing where applicable
• Anthropic:AI drafting, classification, and reasoning via the Claude API
• OpenAI:optional AI fallback when configured
• Email and collaboration integrations:where you connect them (e.g., Microsoft Graph, Google APIs)

8. Incident response

• Customer notification within 72 hours of a confirmed data breach, in line with GDPR requirements
• Post-incident review and remediation
• Structured logging and audit trails to support investigation

9. Compliance

• SOC 2 Type II: our infrastructure and processes are designed to meet SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality.
• GDPR: we support data subject rights including export (portability) and deletion (right to erasure).
• CCPA: we do not sell personal information; you can request data export and deletion at any time.

10. Responsible disclosure

We welcome responsible security research. If you discover a vulnerability, please report it to us with enough detail to reproduce the issue. We ask that you allow reasonable time for remediation before public disclosure, do not access or modify others' data, and do not disrupt service availability. We acknowledge receipt within 2 business days and provide an initial assessment within 5 business days.