Security & trust

Omnia connects to the systems where your most sensitive operational data lives. Here's how we treat it.

SOC 2 Type II

We are SOC 2 Type II covered through our infrastructure provider and targeting our own Type II audit by Q4 2026. Trust report and current controls available under NDA — email security@omnia.dev.

ISO 27001

Our hosting (AWS) is ISO 27001 certified. We are pursuing our own certification on the same audit cycle as SOC 2 Type II. Expected 2027 H1.

Identity · SSO & SCIM

• SSO via SAML 2.0 (Okta, Microsoft Entra ID, Google Workspace, JumpCloud)
• SCIM 2.0 user + group provisioning
• Just-in-time provisioning supported on standard plans
• Enforced 2FA on every Omnia operator account

Audit log + SIEM

Every read, write, and AI completion is logged with actor, timestamp, scope, and citation IDs. Logs are streamable to Splunk, Datadog, and any SIEM that consumes JSON over HTTPS. 90-day retention by default; custom retention available.

Data handling

• Hosting: AWS in your region of choice (US-East, US-West, EU-Central). Single-tenant deployment available for regulated industries.
• Encryption: TLS 1.3 in transit, AES-256 at rest. Customer-managed KMS keys on Enterprise plans.
• LLM: Zero-retention agreement with our provider. Prompts and completions are not used for training and are deleted within 30 days.
• Read-only by default: Every connector starts read-only. Write actions (e.g., Jira ticket creation) require explicit per-workflow approval.
• Data residency: Your data never leaves the region you selected.

Subprocessors

• AWS — primary compute, storage, and managed Postgres
• OpenAI / Anthropic — LLM inference (zero-retention)
• Cloudflare — CDN and DDoS protection
• Stripe — billing
• Linear — internal issue tracking (no customer data)

Updated subprocessor list: security@omnia.dev.

Incident response

Documented IR plan with named on-call rotation. Customers notified within 24 hours of confirmed incident affecting their data. Quarterly tabletop exercises with the engineering team.

Penetration testing

Annual third-party penetration test. Latest report (redacted) available under NDA on request. Continuous bug bounty program in place via HackerOne.

Talk to us

For trust reports, security questionnaires, DPAs, or red-team coordination: security@omnia.dev.