Security & Compliance

How OnionAI handles data, maintains audit trails, and how you can deploy and operate it in a secure, compliant way.

Data handling

Chat content and query inputs are processed to generate answers. Data is stored in your own database (when self-hosted) or in our infrastructure under the terms of your agreement. We do not use your security data for model training. Integration credentials (API keys, tokens) are encrypted at rest and transmitted over TLS.

Audit logs

Actions such as sign-in, chat creation, and API calls can be written to audit logs with timestamp, user, and action type. Log retention and export depend on your plan and deployment. Use audit logs for compliance reviews and incident investigation.

Authentication and access

Access is gated by authentication (e.g. GitHub OAuth or SSO). Sessions are validated on each request. API access can be restricted to API keys with scoped permissions. See Authentication for details.

Deployment best practices

• HTTPS only: Use TLS in production for all traffic.
• Secrets: Store credentials and API keys in environment variables or a secret manager, not in code or config files in repo.
• Least privilege: Grant integrations and API keys only the permissions they need.
• Updates: Keep the application and dependencies updated and patch known vulnerabilities promptly.

Reporting issues

If you believe you’ve found a security vulnerability, please report it to us responsibly (e.g. via a dedicated security contact or email). Do not disclose it publicly before we’ve had a chance to address it.

Next steps

• Authentication — Sessions and API keys
• API Reference — Rate limits and webhooks