Security & Incident Response
Effective date: Jul 12, 2026
This statement summarises the technical and organisational measures Omixo AI uses to protect personal data, and our process for handling security incidents.
1. Encryption
- In transit: all traffic is served over HTTPS/TLS. API and webhook endpoints reject non-TLS connections.
- At rest: sensitive credentials and access tokens (e.g. integration OAuth tokens) are encrypted in the database using authenticated encryption.
- Backups: automated backups are encrypted with AES-256 before storage and off-site transfer; encryption keys are held separately from the backup media.
2. Access control
- Staff access to customer personal data is restricted on a least-privilege, role-based basis; not all staff can view customer data.
- Strong password requirements and rate-limited authentication protect all accounts.
- Access to pages that expose personal data is logged to an audit trail (who, what, when, source IP) retained for compliance.
3. Data loss prevention & resilience
- Automated daily backups with rotation and encrypted off-site copies.
- A documented, tested disaster-recovery procedure shipped inside every backup archive.
- Test and production data are kept separate; production data is not used in development or testing.
4. Data minimisation & retention
We collect only the data required to deliver the service, retain it only as long as needed, and delete integration data on uninstall and account data on closure or verified erasure request.
5. Security incident response policy
If a security incident affecting personal data is suspected or confirmed, we follow this process:
- Detect & triage — assess scope, severity, and affected data/Merchants.
- Contain — isolate affected systems, rotate credentials/keys, and stop ongoing exposure.
- Eradicate & recover — remove the cause and restore service from known-good, encrypted backups.
- Notify — inform affected Merchants without undue delay with the details they need to meet their own obligations; support regulatory notification as required.
- Review — conduct a post-incident review and apply corrective actions to prevent recurrence.
6. Reporting a vulnerability
If you believe you have found a security issue, please contact us using the details in the footer. We investigate all reports and appreciate responsible disclosure.