Security

Security is a first-class primitive at Olyxee. Our program covers infrastructure, application, data, and the AI lifecycle itself. We design defensively, default to least privilege, and assume that any layer can fail.

We operate multiple, independent layers of protection across our infrastructure, application, and data planes. No single control is relied upon for the security of customer data, and controls are continuously tested through automated assessments and red-team exercises.

All customer data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred) and at rest using AES-256. Cryptographic keys are managed through hardened key management systems with strict access policies. Customer-managed keys (CMK) are available for enterprise deployments.

Access to production systems is governed by strong identity controls: • Single Sign-On (SSO) and SCIM provisioning • Role-Based Access Control (RBAC) with least-privilege defaults • Mandatory hardware-backed multi-factor authentication for personnel • Short-lived credentials and just-in-time access for sensitive operations • Comprehensive audit logging of all administrative actions

Workloads run on hardened, isolated infrastructure with automated patching, vulnerability scanning, and immutable images. Network segmentation, private connectivity, and least-privilege firewall policies are enforced across all environments.

Olyxee maintains continuous monitoring across logs, network telemetry, and runtime behavior. Security events are triaged 24/7 by an on-call response team. Incident response playbooks are tested regularly and customers are notified of incidents that materially affect their data, in line with contractual and legal obligations.

Our software development lifecycle includes mandatory peer review, automated static and dynamic analysis, dependency scanning, and pre-deployment security gates. High-risk changes receive additional architectural review.

Customer data is segregated by tenant, encrypted, and accessed only as necessary to deliver the service. Production data is not used in development or test environments. Backups are encrypted and retention policies follow customer agreements and regulatory obligations.

Models, prompts, and verification artifacts are treated as sensitive assets. We protect against model exfiltration, prompt injection, and unauthorized model modification through input validation, output verification (Ordo), provenance tracking, and access controls scoped to model artifacts.

We welcome reports from security researchers. If you believe you have found a vulnerability, please report it to security@olyxee.com. We commit to acknowledging reports promptly, working in good faith on remediation, and recognizing valid disclosures. Please act in good faith, avoid privacy violations, and do not disrupt our services.

Security inquiries: security@olyxee.com Vulnerability reports: security@olyxee.com (PGP key on request)