8os
Log in

Security

How 8os.ai protects your data, from encryption and infrastructure to authentication and privacy controls.

🔒

Data Encryption

Transit Encryption

All data transmitted between your browser and 8os servers is encrypted using TLS 1.3, the current industry standard. Older TLS versions are not supported.

At-Rest Encryption

All persistent data is encrypted at rest using AES-256. This includes your profile data, archetype results, goal entries, and session tokens.

Encrypted Backups

Database backups are encrypted with the same AES-256 standard and stored in geographically distributed, access-controlled locations.

🏗️

Infrastructure

Hosting

The 8os frontend is hosted on Vercel, a SOC 2 Type II compliant platform with global edge distribution. Backend services run on Railway with dedicated isolated environments.

SOC 2 Alignment

Our infrastructure partners hold SOC 2 Type II certifications. 8os itself is on a path to formal SOC 2 certification as the platform scales.

Environment Isolation

Production, staging, and development environments are fully isolated. No production data is used in development or testing.

Uptime Monitoring

We use continuous uptime and latency monitoring across all critical services. Incidents trigger automated alerting to the on-call engineer.

🔑

Authentication

Password Hashing

User passwords are never stored in plaintext. All passwords are hashed using bcrypt with a cost factor calibrated to current hardware capabilities.

Session Management

Sessions are signed, expire after a configurable period of inactivity, and are invalidated on logout. Concurrent sessions from new devices trigger confirmation emails.

OAuth

Third-party authentication (Google, GitHub) uses OAuth 2.0 with minimal, explicitly scoped permissions. We request only what we need, never broad profile or contact access.

Rate Limiting

Authentication endpoints are rate-limited to prevent brute-force attacks. Repeated failed attempts trigger temporary lockouts with notification to the account email.

🛡️

Privacy by Design

Minimum Data Collection

We collect only what is necessary to deliver your archetype profile and daily briefing. We do not collect location data, contact lists, or behavioral data beyond what you explicitly provide.

No Data Selling

We do not sell, rent, or trade your personal data to any third party. We do not use your data to train AI models without explicit opt-in consent.

Data Export

You can export all your personal data at any time from your account settings. Exports are delivered in JSON format within 24 hours.

Right to Delete

You can permanently delete your account and all associated data at any time. Deletion is irreversible and completes within 30 days of request.

🔗

Third-Party Integrations

OAuth-Scoped Access

When you connect third-party tools (Notion, Google Calendar, etc.), we use OAuth with the minimum required scopes. We do not request write access unless the integration explicitly requires it.

Token Storage

OAuth tokens for connected services are stored encrypted and are never logged or exposed in error reports.

Revocation

You can revoke any connected integration at any time from your account settings. Revocation removes our access immediately.

Vulnerability Reporting

If you discover a security vulnerability in 8os.ai, please report it responsibly via email. We commit to acknowledging all reports within 24 hours, providing status updates within 72 hours, and crediting researchers who identify and responsibly disclose valid vulnerabilities.

Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.

security@8os.ai

Security documentation last updated May 2026