/ trust
Security & compliance
Honest is better than aspirational. Below is what is live in production today vs. what is planned. Anything not on this page does not exist yet — please push back if a salesperson tells you otherwise.
AES-256-GCM at-rest secret encryption
liveAll SSO, storage, and KMS credentials are envelope-encrypted with a server-held master key before persistence.
Details →TLS 1.2+ in transit
liveEdge proxy enforces TLS 1.2 minimum; HSTS preload on oxp.sh.
WASM sandbox for extension code
liveUntrusted extension logic runs inside a Wasmtime component with no host syscalls.
Details →Sigstore-signed releases
liveEvery published bundle is signed; publishers can bring their own KMS key.
Details →GDPR Data Processing Agreement
liveStandard DPA available to Pro/Teams/Enterprise customers on request via sales@oxp.sh.
Custom MSA + DPIA support
liveEnterprise customers receive a tailored MSA, DPIA support, and named DPO contact.
Sub-processor disclosure list
liveNeon (database), Cloudflare (edge), Paddle (billing). Updates posted with 30-day notice.
Details →Audit log retention
live30 days on Pro, 365 on Teams, unbounded on Enterprise.
Bring-your-own object storage
liveS3 / R2 / MinIO supported with mandatory smoke test before activation.
Details →Customer-managed signing keys
liveAWS KMS today; GCP KMS, Azure Key Vault, and HashiCorp Vault next.
SOC 2 Type II
plannedAudit period scheduled. We don't claim certification we don't have. Contact sales for the current control narrative.
Documents
- · DPA (GDPR + UK GDPR + Swiss FADP) — request: sales@oxp.sh
- · Custom MSA / SCCs — Enterprise: sales@oxp.sh
- · Subprocessor list — /trust/subprocessors
- · Uptime SLA terms — /sla
- · Vulnerability disclosure — /security