Trust center:
security, custody, and deployment boundaries
We are small on purpose and direct about boundaries. Verify runs through a scoped review workflow for the files you share. Horizon can run inside your own environment when you need continuous monitoring. This page shows what we handle, what you control, and how responsibilities change by deployment model, without pretending every workflow has the same control perimeter.
Files arrive only for the agreed forensic review scope.
Managed reviews use access-controlled workflows and documented retention.
Continuous monitoring can run inside your own environment.
Deployment, deletion, and support terms are agreed in advance.
Need a security review?
If you have a customer questionnaire, send it over. We'll answer directly, flag what depends on deployment model, and avoid compliance theatre.
Contact security →Security Architecture
Oxaide supports two practical operating modes: a managed review workflow for Verify, and customer-controlled deployment for Horizon. The exact controls depend on which mode you buy, so we document them that way instead of pretending every workflow is identical.
Transport encryption
Managed workflows use encrypted transport for customer data moving between user devices, review systems, and approved infrastructure layers.
Managed storage protection
Where managed storage is used, underlying infrastructure provides encryption at rest and standard hosted security controls.
Segregated review handling
Customer materials are handled within scoped review workflows and only for the agreed review or deployment boundary.
Restricted administrative access
Administrative access follows least-privilege handling and restricted operational workflows rather than broad standing access.
Recovery controls
Managed data services use recovery controls appropriate to the workflow and deployment model in scope.
Service monitoring
Managed systems use monitoring and alerting for service health, with customer-controlled deployments sharing responsibility with the customer environment.
Compliance & Privacy
Data Custody Commitment
For Verify engagements, customer data is handled only for the agreed review deliverable. For Horizon deployments, telemetry can remain entirely inside customer-controlled infrastructure.
Practical privacy support
We support customer privacy and security reviews with deployment-specific answers. If you need a DPA, deletion terms, or a customer-controlled deployment path, we scope it directly.
- Data deletion workflow available on request
- Data export support for customer materials
- Data Processing Addendum available where appropriate
- Security review support for regulated operating environments
- Can support customer IM8 or internal security review processes with the right deployment model and documentation.
Sub-processors
We keep the managed stack small. These providers may appear in managed workflows. On-premise Horizon deployments can reduce or remove several of them.
Provider
Microsoft Azure
Managed workflow
Configured per engagement
Customer-controlled deployment
Customer-controlled instance or agreed private deployment
Provider
Supabase / AWS
Managed workflow
Used only where the workflow requires managed storage
Customer-controlled deployment
Local or customer-controlled storage path where required
Provider
Ollama / Local
Managed workflow
N/A
Customer-controlled deployment
Client premises when local inference is required
Provider
Cloudflare
Managed workflow
Configured only where needed for managed delivery
Customer-controlled deployment
Direct or edge-protected path, depending on customer architecture
| Provider | Purpose | Managed Workflow | Customer-Controlled Deployment |
|---|---|---|---|
| Microsoft Azure | Managed compute | Configured per engagement | Customer-controlled instance or agreed private deployment |
| Supabase / AWS | Database | Used only where the workflow requires managed storage | Local or customer-controlled storage path where required |
| Ollama / Local | Local agent inference | N/A | Client premises when local inference is required |
| Cloudflare | Edge delivery & protection | Configured only where needed for managed delivery | Direct or edge-protected path, depending on customer architecture |
Availability & SLA
Status-first
Support expectations
Managed workflows are monitored and enterprise deployments can include agreed response windows. For on-premise systems, availability is shared with the customer environment and hardware stack.
Managed SLAs are scoped in contract. On-premise deployments depend partly on customer infrastructure, networking, and hardware operations.
Scope first
Defined review scope
Boundary, telemetry window, and mandate question are pinned down before conclusions move.
Encrypted handling
Protected review workflow
Review traffic and operating data are handled with encrypted transfer and controlled access.
Customer boundary
Customer-controlled deployment
Managed, private, and isolated deployment paths are available when the environment requires them.
Direct accountability
Principal sign-off
Technical accountability stays close to the method rather than disappearing into a generic workflow.