Governance is the product.
Octos exists to make AI decisions provable — so the same rigor runs how we operate. Here's our security posture, where your data lives, and how to get the docs.
What's live, what's coming
Run it our way, your cloud, or your walls.
The same governed runtime, wherever your data has to live.
SaaS · Cloud
We host it. Fastest start, per-tenant isolation, encrypted at rest. You point your keys and go.
BYOC
Bring your own cloud. The runtime runs in your account on your keys; we manage the control plane.
Self-host
Fully inside your perimeter, air-gap friendly. Open core, no phone-home — you hold every key.
We store what the runtime needs — nothing more.
What we store
Your decisions, their evidence, and the memory graph — the record that makes governance provable, not a copy of everything.
Where it lives
Your chosen region on Cloud, or entirely your own infrastructure on BYOC and self-host. You decide the jurisdiction.
We don't train on it
Ever. No model is trained, tuned, or evaluated on your data. Your compositions, prompts, and outputs are yours.
Encryption
TLS 1.2+ in transit; AES-256 at rest on Cloud. On self-host, encryption is yours to control end to end.
Deletion & export
Export or delete on request. On self-host you already hold the keys — nothing leaves your walls to begin with.
Subprocessors
A current list ships with our DPA. We tell you who touches infrastructure before you sign, not after.
Request the security package
Doing diligence? We'll send the current docs — some under NDA. Formal legal pages (Privacy · Terms · Usage · DPA · Subprocessors) publish on the main domain with commercial launch; request current copies anytime.
- Security whitepaper
- SOC 2 status letter (under NDA)
- Data Processing Addendum (DPA)
- Subprocessor list
- Penetration-test summary
- EU AI Act logging overview