Security
How 8os.ai protects your data, from encryption and infrastructure to authentication and privacy controls.
Data Encryption
Transit Encryption
All data transmitted between your browser and 8os servers is encrypted using TLS 1.3, the current industry standard. Older TLS versions are not supported.
At-Rest Encryption
All persistent data is encrypted at rest using AES-256. This includes your profile data, archetype results, goal entries, and session tokens.
Encrypted Backups
Database backups are encrypted with the same AES-256 standard and stored in geographically distributed, access-controlled locations.
Infrastructure
Hosting
The 8os frontend is hosted on Vercel, a SOC 2 Type II compliant platform with global edge distribution. Backend services run on Railway with dedicated isolated environments.
SOC 2 Alignment
Our infrastructure partners hold SOC 2 Type II certifications. 8os itself is on a path to formal SOC 2 certification as the platform scales.
Environment Isolation
Production, staging, and development environments are fully isolated. No production data is used in development or testing.
Uptime Monitoring
We use continuous uptime and latency monitoring across all critical services. Incidents trigger automated alerting to the on-call engineer.
Authentication
Password Hashing
User passwords are never stored in plaintext. All passwords are hashed using bcrypt with a cost factor calibrated to current hardware capabilities.
Session Management
Sessions are signed, expire after a configurable period of inactivity, and are invalidated on logout. Concurrent sessions from new devices trigger confirmation emails.
OAuth
Third-party authentication (Google, GitHub) uses OAuth 2.0 with minimal, explicitly scoped permissions. We request only what we need, never broad profile or contact access.
Rate Limiting
Authentication endpoints are rate-limited to prevent brute-force attacks. Repeated failed attempts trigger temporary lockouts with notification to the account email.
Privacy by Design
Minimum Data Collection
We collect only what is necessary to deliver your archetype profile and daily briefing. We do not collect location data, contact lists, or behavioral data beyond what you explicitly provide.
No Data Selling
We do not sell, rent, or trade your personal data to any third party. We do not use your data to train AI models without explicit opt-in consent.
Data Export
You can export all your personal data at any time from your account settings. Exports are delivered in JSON format within 24 hours.
Right to Delete
You can permanently delete your account and all associated data at any time. Deletion is irreversible and completes within 30 days of request.
Third-Party Integrations
OAuth-Scoped Access
When you connect third-party tools (Notion, Google Calendar, etc.), we use OAuth with the minimum required scopes. We do not request write access unless the integration explicitly requires it.
Token Storage
OAuth tokens for connected services are stored encrypted and are never logged or exposed in error reports.
Revocation
You can revoke any connected integration at any time from your account settings. Revocation removes our access immediately.
Vulnerability Reporting
If you discover a security vulnerability in 8os.ai, please report it responsibly via email. We commit to acknowledging all reports within 24 hours, providing status updates within 72 hours, and crediting researchers who identify and responsibly disclose valid vulnerabilities.
Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.
security@8os.aiSecurity documentation last updated May 2026