Security

Security is foundational to Onnai's architecture. Here's how we protect your data.

Local-First Design

The onnai CLI runs locally. Your .context, .persona, and .chat files stay on your machine. We never upload them.

BYOK Isolation

When you bring your own API keys, requests are sent directly from the onnaid daemon to your chosen provider. Traffic never passes through Onnai servers. Your keys are stored locally in your environment or keychain.

Transport Security

• All API traffic uses TLS 1.3
• Certificate pinning in the CLI
• Unix socket communication between CLI and daemon (mode 0600)

Infrastructure

• SOC 2 Type II compliant hosting
• Encrypted at rest (AES-256)
• Encrypted in transit (TLS 1.3)
• Regular penetration testing
• 24/7 monitoring and alerting

Enterprise

For enterprise deployments, we offer:

• On-premise Onnai Appliance
• Private cloud deployment
• SSO/SAML integration
• Audit logging
• Custom data retention policies
• HIPAA and GDPR compliance support

Vulnerability Disclosure

Found a security issue? Please report it to security@onnai.ai. We take all reports seriously and will respond within 24 hours.

We do not pursue legal action against security researchers who act in good faith.