Security architecture
for production AI

Technical security controls for the ozDNA gateway, API, and supporting infrastructure. For compliance roadmap and certifications status, see the Trust Center.

01

Security Architecture

ozDNA is a layered platform: AI gateway, model router, prompt registry, RAG, cost engine, and observability — operated by Findbelow Ventures. Every external request enters through authenticated gateway boundaries before reaching inference or retrieval subsystems.

  • Perimeter: HTTPS-only public endpoints; invite-only API keys during private beta
  • Gateway: Auth, rate limits, and audit hooks before workflow execution
  • Isolation: Environment-separated sandbox (api.sandbox.ozdna.com) and production (api.ozdna.com)
  • Least privilege: Scoped API keys; no anonymous inference on paid workflows
  • Vertical boundaries: Mode-specific prompts and corpora (academic, legal, financial)
Related: Compliance programs and certification roadmap — Trust Center
02

Encryption at Rest

Customer data at rest inherits encryption from underlying cloud providers. ozDNA does not store raw API keys in plaintext.

AssetApproachStatus
API keys (stored)Salted hashes only; plaintext shown once at creationLive
DatabaseProvider-native encryption (managed Postgres roadmap)In Progress
Object / vector storageProvider-managed encryption for RAG corporaRoadmap
BackupsEncrypted backup volumes per provider policyPlanned
03

Encryption in Transit

All customer-facing traffic requires TLS. Internal provider connections use HTTPS to upstream LLM and embedding APIs.

  • Web & docs: TLS 1.2+ on ozdna.com (Netlify CDN)
  • Platform API: HTTPS enforced on api.ozdna.com and sandbox endpoints
  • Provider calls: TLS to OpenAI and routed inference providers
  • Webhooks: HMAC-SHA256 signatures on outbound callbacks (X-OzDNA-Signature)
04

Secrets Management

Secrets never ship in client-side code, public repositories, or static marketing assets.

  • Environment-scoped configuration for provider keys and database credentials
  • Separate secrets per sandbox and production environments
  • Rotation supported for API keys via dashboard (roadmap) and manual revoke today
  • CI/CD injects secrets at deploy time — not baked into container images
Status: Centralized secrets manager (Vault / cloud SM) — Roadmap for enterprise tier.
05

API Authentication

All platform endpoints require a valid Bearer token. Unauthenticated requests receive 401 before reaching inference logic.

MechanismDetailStatus
Bearer tokensAuthorization: Bearer ozdna_sk_*Live
Key prefixesozdna_sk_test_ / ozdna_sk_live_Live
RevocationImmediate invalidation on key deleteLive
SSO / SAMLDashboard and enterprise identityPlanned

See API documentation for integration details.

06

Rate Limiting

Rate limits protect platform stability and enforce plan quotas at the gateway layer.

  • Per-key request quotas enforced before workflow dispatch
  • 429 responses with retry guidance when limits exceeded
  • 402 when billing quota exhausted
  • Configurable limits per organization — enterprise roadmap
07

DDoS Protection

Public surfaces inherit DDoS mitigation from CDN and hosting providers.

  • Marketing & docs: Netlify CDN edge protection and automatic TLS
  • API gateway: Provider-level network filtering on deployment target (Fly.io / Railway / AWS roadmap)
  • Application layer: Rate limiting and auth as first-line abuse controls
  • WAF: Dedicated Web Application Firewall — Planned for production API
08

Logging

Structured logs capture security-relevant events without storing unnecessary payload content.

  • X-Request-Id on every API response for trace correlation
  • Authentication success/failure, rate-limit hits, and quota events logged
  • Prompt hash and model ID per inference — not full prompt text in default logs
  • RAG ingest, retrieve, and eval events with org scope
  • Exportable audit logs for enterprise — In Progress

Audit logging details: Trust Center — Audit Logging

09

Monitoring

Platform health and anomaly detection cover availability, latency, and error rates.

SignalScopeStatus
Health checksGET /health, gateway statusLive
Error rates4xx/5xx by endpoint and orgLive
Latency & costPer-workflow metrics dashboardIn Progress
Public status pagePlatform availabilityLive
On-call paging24/7 for enterprise tierPlanned
10

Backups

Backup and recovery procedures align with disaster recovery targets documented in the Trust Center.

  • Automated database backups on managed Postgres migration — Roadmap
  • Point-in-time recovery target: RPO < 1 hour (enterprise roadmap)
  • Quarterly restore drills — Planned
  • Configuration and prompt registry versioning via git-backed prompt store

DR objectives: Trust Center — Disaster Recovery

11

Vulnerability Disclosure

We welcome good-faith security reports from researchers, customers, and the community.

  • Contact: security@ozdna.com (placeholder — monitored by Findbelow Ventures security contact)
  • Machine-readable: /.well-known/security.txt (RFC 9116)
  • Scope: ozdna.com, api.ozdna.com, api.sandbox.ozdna.com, and ozDNA platform services
  • Out of scope: Third-party providers (OpenAI, Netlify), social engineering, physical attacks
  • Response: Acknowledgment within 3 business days; critical issues triaged within 24 hours
Recognition: Security acknowledgments page — Coming Soon. Researchers who follow our responsible disclosure policy will be credited with permission.
12

Responsible Disclosure Policy

To protect ozDNA customers, we ask reporters to follow coordinated disclosure.

  • Report vulnerabilities privately to security@ozdna.com with reproduction steps and impact assessment.
  • Allow reasonable time for remediation before public disclosure — typically 90 days, sooner for critical issues once patched.
  • Do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the issue.
  • Do not perform denial-of-service, spam, or social engineering against ozDNA staff or customers.
  • Do not test against production customer workloads without written authorization.

We commit to:

  • Acknowledge receipt of your report
  • Provide status updates at reasonable intervals
  • Notify you when the issue is resolved
  • Credit researchers on our acknowledgments page (with your consent)

This policy does not authorize testing that violates applicable law. If you are unsure whether your research is permitted, contact us before proceeding.

Security contact

Report vulnerabilities, request a security review, or ask about our controls.