Transparency builds trust.

This page brings together the security practices, review posture, and operational signals teams usually need during evaluation.

Framework readiness

SOC 2 Type II In progress

We are building and documenting controls with SOC 2 review in mind. Formal audit timing can be discussed during evaluation.

HIPAA Reviewable

Data minimization can make Octomil a fit for healthcare and other privacy-sensitive deployments. Contact us if you need to discuss a BAA path.

GDPR By architecture

On-device execution and data minimization can reduce centralized handling of personal data. Your final obligations still depend on implementation.

How we protect your data

Data minimization

Octomil is designed to keep raw end-user content on-device by default. The control plane focuses on artifacts, telemetry, and rollout state instead of centralizing user data.

Encryption

TLS in transit, encrypted storage, and key-management integrations help keep control-plane and artifact data protected.

Access control

Org-scoped RBAC, short-lived bootstrap tokens, scoped API keys, and optional SSO/SCIM support keep access aligned to least-privilege workflows.

Audit logging

Key control-plane actions are logged with actor attribution and timestamps. Enterprise teams can export audit logs for review.

Infrastructure

We use hardened containers, standard CI security checks, and optional VPC deployment for teams that need tighter network boundaries.

Formal security policies

Octomil maintains a set of internal security and compliance policies that can be shared during review where appropriate.

  • Information Security Policy
  • Data Classification Policy
  • Acceptable Use Policy
  • Change Management Policy
  • Incident Response Playbook
  • Breach Notification Procedures
  • Business Continuity & Disaster Recovery
  • Risk Assessment
  • Vendor Risk Management
  • Cloud Security Policy
  • Security Awareness Training
  • Vulnerability Management
  • Penetration Testing Policy
  • Data Retention & Disposal
  • Business Associate Agreement (BAA)
  • Privacy Impact Assessment

Policy documents are available to Enterprise customers and prospective customers undergoing review. Contact [email protected] to request access.

Status and incident handling

Live status

Real-time platform status, incident history, and maintenance notifications are published at our public status page.

status.octomil.com

Operational targets

99.95% API availability (30-day window)
< 500ms API latency p99
≤ 60 min Recovery time objective

Enterprise contracts can include uptime and support commitments.

Reporting security vulnerabilities

If you discover a security vulnerability in Octomil, we ask that you disclose it responsibly.

How to report

Email [email protected] with a description of the vulnerability, steps to reproduce, and any relevant evidence. We will acknowledge your report within 48 hours and provide a timeline for resolution.

Our commitment

  • Acknowledge reports within 48 hours
  • Provide a remediation timeline within 5 business days
  • Credit reporters in our security advisories (with permission)
  • No legal action against good-faith security research

Detailed documentation

For technical detail on security architecture, review workflows, and operational procedures:

Security architecture Security guide HIPAA compliance GDPR compliance Operational SLOs

We'll help with your review process.

If you need to complete a vendor questionnaire, request policy documents, or review a regulated deployment path, reach out to our team.

Request security review Start sandbox