Security

Architecture designed for regulated workloads.

Octomil is built on data minimization: raw training data never leaves end-user devices. Only model weight deltas are transmitted. This page describes our security architecture, access controls, and compliance posture.

Data handling

What stays on-device, what is shared

Stays on-device

  • Raw user data (text, images, sensor readings, biometrics)
  • Feature extraction results
  • Local training batches and gradients
  • Personal model adaptations

Transmitted to aggregation server

  • Model weight deltas (encrypted in transit)
  • Training metadata: sample counts, basic quality metrics
  • Device health signals: battery, connectivity, completion status

No PII, no raw data, no user-identifiable content.

Authentication

Identity and access control

User authentication

Passkeys and OAuth available today. Enterprise SSO (SAML 2.0) and SCIM directory sync available on Enterprise tier. All sessions are scoped to a single organization.

Device authentication

Devices authenticate via a short-lived bootstrap token issued by your backend. The token is exchanged server-side for a device access token and refresh token. Long-lived credentials are never stored on client devices.

Token rotation is automatic. Revocation is immediate via the control plane API or dashboard.

API authentication

Backend API keys remain server-side only. Keys are org-scoped with configurable permissions. Key rotation and revocation are supported without downtime.

Authorization

Least privilege by default

Role-based access control

Three roles with escalating permissions: Member (read + limited write), Admin (full workspace management), Owner (billing, deletion, access control). Admin roles require explicit provisioning — no implicit elevation.

Tenant isolation

All resources — models, devices, training rounds, deployments, device groups — are scoped to the owning organization. Cross-tenant reads and writes are denied at the API layer. There is no mechanism for one organization to access another's data.

Audit and observability

Actor-attributed logging for every action

Audit trail

Identity lifecycle events, policy changes, rollout promotions, model approvals, device revocations, and SCIM sync operations are logged with actor attribution, timestamps, and metadata. Audit logs are export-ready for compliance review on Enterprise tier.

Operational telemetry

Training round progress, device participation rates, model quality metrics, and system health are available in real time through the monitoring dashboard. Status is exposed at status.octomil.com.

Compliance

Compliance posture

SOC 2 Type II On roadmap

Architecture aligned to SOC 2 trust service criteria: access controls, audit logging, encrypted transit, change management, and incident response. Formal audit planned.

HIPAA Architecture ready

Data minimization by design — no patient data is centralized. Only model weight deltas are transmitted. BAA available on Enterprise tier.

GDPR By design

No PII collection. On-device training with data minimization. Processing stays local to the end-user device. No cross-border data transfer of personal data.

Penetration testing Planned

Third-party penetration testing engagement planned. Architecture follows OWASP security best practices.

Deployment

Infrastructure and deployment options

Cloud deployment (default)

Octomil runs on managed cloud infrastructure with Cloudflare edge network. Isolated compute with auto-scaling, health monitoring, and non-root container security. All data is encrypted at rest and in transit.

VPC deployment (Enterprise)

Run Octomil in your own cloud account within your network boundaries. Octomil-managed infrastructure deployed inside your VPC. Full network isolation with your existing security controls, firewall rules, and compliance boundaries.

Available on Enterprise tier. Contact team@octomil.com to discuss.

Reliability

Operational targets

99.95% API availability target (30-day window)
< 500ms API latency p99 target (30-day window)
≤ 60 min Recovery time objective (RTO) for core control plane
30 min Maximum update interval for high-impact incidents

Enterprise contract SLA: 99.9% monthly uptime. Planned maintenance announced in advance. Live status at status.octomil.com.

Full security documentation

For detailed technical documentation on security architecture, device token lifecycle, and operational SLOs, see our documentation site.

Security architecture guide Device token lifecycle Operational SLOs

Questions about security?

We're happy to discuss your requirements.

If you need to evaluate Octomil for a regulated environment, have TPRM requirements, or need to discuss a BAA, reach out to our team.

Contact our team Start sandbox