Security

How we protect your data

Our Commitment

Security is fundamental to everything we build. Onyx Legion is designed and operated by the team behind SureStep, an 18-year SOC 2 Type 2 compliant GRC consultancy serving global financial institutions. We understand enterprise security requirements.

Data Encryption

In Transit

  • All data transmitted over TLS 1.3
  • Strong cipher suites only (AES-256, ChaCha20-Poly1305)
  • Certificate pinning on mobile apps

At Rest

  • Database encryption using AES-256
  • Encrypted backups
  • Secrets stored in Google Cloud Secret Manager

Authentication & Access Control

  • Two-Factor Authentication (2FA): Optional TOTP-based MFA with authenticator apps (Google Authenticator, Authy, 1Password). Includes 10 one-time backup codes for account recovery.
  • Multiple Sign-In Methods: Phone, email/password, Google, and Microsoft authentication
  • JWT Tokens: Signed with HMAC-SHA256, 4-hour expiry
  • Token Versioning: Logout invalidates all existing tokens
  • Password Requirements: 12+ characters with complexity rules
  • Common Password Blocking: Protection against known weak passwords

Application Security

API Security

  • Rate limiting on all endpoints (prevents DoS attacks)
  • Payload size validation (prevents resource exhaustion)
  • Input sanitization (prevents injection attacks)
  • CORS policy enforcement

Data Isolation

  • User data scoped to authenticated user ID
  • Server-side ownership validation on all operations
  • No cross-user data leakage (IDOR protection)

Infrastructure Security

  • Cloud Platform: Google Cloud Platform (SOC 2, ISO 27001 certified)
  • Database: Cloud SQL with automated backups and point-in-time recovery
  • Compute: Cloud Run with automatic scaling and isolation
  • Monitoring: Real-time logging and alerting for security events
  • DDoS Protection: Google Cloud Armor

Third-Party Security

We carefully vet all third-party services:

  • Stripe: PCI DSS Level 1 certified payment processing
  • Firebase: Google-managed authentication with security best practices
  • SendGrid: SOC 2 Type II certified email delivery
  • AI Providers: Enterprise agreements with Anthropic, OpenAI, Google, xAI, DeepSeek

Vulnerability Management

  • Regular security audits and penetration testing
  • Automated dependency scanning
  • Responsible disclosure program
  • Timely patching of identified vulnerabilities

Enterprise Security

For enterprise customers, we offer:

  • On-Premise Deployment: Run Legion entirely within your infrastructure
  • Air-Gapped Networks: Support for classified and disconnected environments
  • SSO Integration: SAML and OIDC support
  • Audit Logging: Complete query and response logging
  • SIEM Integration: Export logs to Splunk, QRadar, etc.
  • Role-Based Access: Control which users can access which models
  • Data Residency: Choose where your data is stored

Compliance

Onyx AI Labs is built with compliance in mind. Our parent company (SureStep) has 18 years of experience helping organizations meet:

  • SOC 2 Type II
  • ISO 27001
  • GDPR (European data protection)
  • HIPAA (healthcare data)
  • SOX (financial reporting)
  • GLBA (financial services)

Incident Response

In the event of a security incident, we follow a documented incident response plan that includes containment, investigation, remediation, and notification procedures. Affected users will be notified within 72 hours of confirmed data breaches.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly:

Email: security@onyxailabs.com

We take all reports seriously and will respond within 48 hours.