Trust center

Compliance, built into every hop.

One consistent safety and compliance policy across every model — even local ones — enforced at the gateway with immutable audit lineage.

Request a security review Read security docs

SOC 2 Type II

Controls audited annually

ISO 27001

Information security mgmt

HIPAA-aligned

PHI controls & BAAs

GDPR

EU residency & DPIA ready

Guardrails

Defense at input, output and routing.

Every request is inspected, transformed and logged — provider-agnostic, so your policy holds even when the model changes.

PII & secrets masking

Detect and mask emails, phones, MRNs, card numbers and API keys before any provider call — with reversible tokens for your tenants.

Injection & jailbreak defense

Detect prompt-injection, jailbreaks and tool-abuse on both input and output — block, sanitize or quarantine with policy.

Content moderation

Configurable toxicity, violence, self-harm and policy filters with thresholds per tenant and per feature.

Token & rate budgets

Per-tenant token budgets, RPS limits and burst controls — with fair-share scheduling and backpressure.

Data residency

Region-locked routing keeps regulated workloads inside the right jurisdiction — EU, US, APAC or on-prem.

Full audit lineage

Every transform, route and policy decision is immutable, searchable and exportable to your SIEM or warehouse.

Request lifecycle

Policy applied at every stage.

1

Ingress & authenticate

SSO/SAML, API keys and mTLS. Request is tagged with tenant, scope, residency and sensitivity class.

2

Input guardrails

PII/PHI masking, injection defense, content policy and budget checks run before any model is selected.

3

Route & call

The router picks the optimal model respecting residency, budget and quality gates — with failover armed.

4

Output guardrails

Moderation, toxicity, schema validation and secret-leak detection run on the response before release.

5

Audit & observe

The full lineage — transforms, route, cost, latency, policy verdicts — is written immutably and exported.

Deployment

Your data, your perimeter.

Run OMNOXA as a managed control plane, in your own VPC, or fully on-prem. Sensitive payloads never have to leave your network.

  • Managed multi-tenant SaaS with regional edges
  • Single-tenant VPC deployment with private peering
  • Air-gapped on-prem for the most sensitive workloads
omnoxa · deployment
mode vpc · region=eu-west
perimeter:
  gateway in customer VPC
  egress allowlist: 2 providers
  payload encryption: AES-256
→ 0 customer payloads leave VPC

Security questions? We have answers.

Get our security whitepaper, latest attestations and a walkthrough with our security team.

Contact security Security docs