Back to home
Security

Security & Trust

How we protect your data. No marketing fluff — just the facts about our security infrastructure, compliance posture, and your rights.

Last updated: February 21, 2026 · Version 1.0

1. Regulatory Compliance

Omniops Ltd is a UK-registered company. Data is processed in the European Union and subject to the following regulatory frameworks:

  • UK GDPR and the Data Protection Act 2018 — governing UK data subjects
  • EU GDPR (Regulation 2016/679) — governing EU data subjects
  • CCPA (California Consumer Privacy Act) — governing California residents
  • EU AI Act — we meet transparency requirements for AI-assisted processing

We maintain a Data Processing Agreement (DPA) for business customers. View our DPA. Full GDPR rights are documented on the GDPR rights page.

2. Data Security

What we protect

All integration credentials (API keys, OAuth tokens, passwords) are encrypted with AES-256-GCM before being written to disk. The encryption key never touches the database.

Security measures applied across the platform:

  • AES-256-GCM encryption at rest for all stored credentials and sensitive data
  • TLS 1.3 in transit for all API and web traffic
  • Row Level Security (RLS) enforced at the database layer for tenant isolation — one organisation cannot access another's data
  • Encrypted daily backups retained for 30 days
  • Zero-trust authentication middleware on all authenticated API routes
  • Service-role database access restricted to server-side functions only

3. Your Data & AI

Your data is never used to train AI models

We hold Data Processing Agreements with our AI providers. Your conversations and business data are explicitly excluded from model training.

How AI processing works:

  • Conversations are processed in-memory by AI providers and not retained by them beyond the immediate request
  • We use Anthropic (Claude) and OpenAI (GPT-4) under DPAs that prohibit training on customer data
  • AI providers operate under EU Standard Contractual Clauses (SCCs) for data transfers
  • All AI inference endpoints are EU-region hosted where available
  • You can request human review of any AI-generated response

4. Your Data Rights

You have the following rights over your data, exercisable at any time:

  • Right to access — request a full export of all data we hold about you
  • Right to erasure — request deletion of your account and associated data
  • Right to portability — receive your data in machine-readable JSON format
  • Right to rectification — correct inaccurate data we hold
  • Breach notification — we will notify you within 72 hours of any breach affecting your data

Self-service data export and deletion is available in Dashboard Privacy Settings. Full GDPR rights are documented on our GDPR rights page.

5. Infrastructure

All infrastructure is hosted within the European Union. No data leaves the EU.

  • Application hosting: Hetzner Cloud, Germany (EU)
  • Database: Supabase, EU region (Frankfurt)
  • CDN and DDoS protection: Cloudflare
  • Backups: encrypted, daily, retained for 30 days, stored in EU
  • DNS and TLS: managed via Cloudflare with automatic certificate renewal

Hetzner Cloud and Supabase are both GDPR-compliant processors with EU data residency. Cloudflare operates under SCCs for any transient processing.

6. Questions?

If you have questions about security, data handling, or compliance, contact our privacy team directly:

Privacy team

For data requests, DPAs, and compliance questions.

privacy@omniops.co.uk

Related documents