Trust Center

Transparency builds trust.

Octomil is designed for regulated workloads. This page provides a single view of our compliance posture, security practices, and operational status for your security review.

Compliance

Framework readiness

SOC 2 Type II Audit-ready

77 controls mapped and implemented. Architecture aligned to all five Trust Services Criteria. Formal audit engagement planned.

HIPAA Architecture ready

52 Security Rule controls implemented. Raw data never leaves devices — Octomil architecturally cannot receive or process PHI. BAA available on Enterprise tier.

GDPR By design

On-device training with data minimization. No PII collection, no cross-border transfer of personal data. Right-to-erasure and data residency controls built in.

ISO 27001:2022 Audit-ready

93 Annex A controls mapped and implemented. Full policy documentation suite covering information security, risk, BCP/DR, incident response, and vendor management.

Security practices

How we protect your data

Data minimization

Raw training data never leaves end-user devices. Only encrypted model weight deltas are transmitted to the aggregation server. No PII, no user content, no raw gradients.

Encryption

TLS 1.3 in transit. AES-256 at rest with KMS/Vault key provider support. Secure aggregation (SecAgg+) encrypts model updates so the server only sees the aggregate — never individual contributions.

Differential privacy

Configurable DP-SGD with gradient clipping and calibrated noise injection. Rényi Differential Privacy (RDP) accounting tracks cumulative privacy spend. Training auto-rejects when the privacy budget is exhausted.

Access control

Org-scoped RBAC with three roles (Member, Admin, Owner). Device authentication via short-lived bootstrap tokens with automatic rotation. API keys are org-scoped with configurable permissions. Enterprise SSO (SAML 2.0) and SCIM directory sync available.

Audit logging

Every action is logged with actor attribution, timestamp, resource type, IP address, and request metadata. Audit logs are export-ready for compliance review. HIPAA-compliant retention policies enforced.

Infrastructure

Non-root containers with dropped capabilities and privilege escalation disabled. CI/CD pipeline includes container scanning, dependency scanning, and secret detection. VPC deployment available on Enterprise tier.

Policies

Formal security policies

Octomil maintains 16 formal security and compliance policies covering the full scope of enterprise security requirements. Policies are reviewed annually and updated as needed.

  • Information Security Policy
  • Data Classification Policy
  • Acceptable Use Policy
  • Change Management Policy
  • Incident Response Playbook
  • Breach Notification Procedures
  • Business Continuity & Disaster Recovery
  • Risk Assessment
  • Vendor Risk Management
  • Cloud Security Policy
  • Security Awareness Training
  • Vulnerability Management
  • Penetration Testing Policy
  • Data Retention & Disposal
  • Business Associate Agreement (BAA)
  • Privacy Impact Assessment

Policy documents are available to Enterprise customers and prospective customers undergoing security review. Contact team@octomil.com to request access.

Operational status

Uptime and incident history

Live status

Real-time platform status, incident history, and maintenance notifications are published at our public status page.

status.octomil.com

SLA targets

99.95% API availability (30-day window)
< 500ms API latency p99
≤ 60 min Recovery time objective

Enterprise contract SLA: 99.9% monthly uptime with financial credits.

Responsible disclosure

Reporting security vulnerabilities

If you discover a security vulnerability in Octomil, we ask that you disclose it responsibly.

How to report

Email team@octomil.com with a description of the vulnerability, steps to reproduce, and any relevant evidence. We will acknowledge your report within 48 hours and provide a timeline for resolution.

Our commitment

  • Acknowledge reports within 48 hours
  • Provide a remediation timeline within 5 business days
  • Credit reporters in our security advisories (with permission)
  • No legal action against good-faith security research

Detailed documentation

For technical deep-dives on our security architecture, compliance guides, and operational procedures:

Security architecture Security guide HIPAA compliance GDPR compliance Operational SLOs

Need a security review?

We'll help with your TPRM process.

If you need to complete a vendor security questionnaire, request policy documents, or discuss a BAA for HIPAA-covered workloads, reach out to our team.

Request security review Start sandbox