Trust & Security Center

Security built into the architecture

Omnismith is engineered for teams that treat data protection as a requirement, not an afterthought. This page documents the controls, infrastructure, and practices behind the platform for procurement and security reviewers.

Overview & compliance

A security-by-design foundation, with formal attestation underway.

Security by design

Security is not a bolt-on. Isolation, encryption, and least-privilege access are built into the architecture from the ground up.

SOC 2 Type 1 — in progress

We are actively preparing for our SOC 2 Type 1 audit, formalizing the controls that already govern how we build and operate the platform.

PCI-DSS handled by Lemon Squeezy

We do not store, process, or transmit cardholder data. All payments are securely offloaded to Lemon Squeezy, a PCI-DSS Level 1 compliant provider.

Cloud infrastructure & hosting

Isolated by default, exposed only where necessary.

ISO 27001 data centers

Omnismith runs on Hetzner Cloud. Hetzner data centers hold ISO 27001 certifications, providing an independently audited foundation for physical and operational security.

Network isolation

The platform uses Kubernetes Network Policies, private internal networks, and strict ingress firewall rules that permit HTTPS only. Services are isolated from one another and from the public internet by default.

VPN-only internal access

Internal tooling is not exposed publicly. Administrative surfaces are restricted to VPN-only access.

Data security & architecture

Encrypted end to end, and separated tenant by tenant.

Encrypted at rest

All stateful workloads — PostgreSQL databases and Kafka message brokers — are backed by AES-256 block-level encryption, dynamically provisioned via Longhorn.

Encrypted in transit

TLS 1.3 is enforced across all external endpoints, protecting data as it moves between your clients and the platform.

Strict tenant isolation

Every user and project is isolated within its own dedicated PostgreSQL schema. This strict logical separation is designed to prevent cross-tenant data bleed.

Application security & development

Consistent, automated delivery with a hardened production boundary.

Automated CI/CD deployments

All deployments run through automated CI/CD pipelines, keeping releases repeatable, reviewable, and consistent.

No manual production SSH

Direct manual SSH access to production nodes is prohibited for routine deployments, removing a common source of drift and human error.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Omnismith, please disclose it to us responsibly so we can investigate and remediate it.

Report a vulnerability

[email protected]

Initial response

Within 48 hours

Please provide enough detail to reproduce the issue, and give us reasonable time to remediate before any public disclosure.

Start with a record that needs more than a spreadsheet can explain.

The free tier is enough to test the model with real records, real history, and a real workflow. No credit card required.

Start Free

Questions? [email protected]