Trust & Security Center
Security built into the architecture
Omnismith is engineered for teams that treat data protection as a requirement, not an afterthought. This page documents the controls, infrastructure, and practices behind the platform for procurement and security reviewers.
Overview & compliance
A security-by-design foundation, with formal attestation underway.
Security by design
Security is not a bolt-on. Isolation, encryption, and least-privilege access are built into the architecture from the ground up.
SOC 2 Type 1 — in progress
We are actively preparing for our SOC 2 Type 1 audit, formalizing the controls that already govern how we build and operate the platform.
PCI-DSS handled by Lemon Squeezy
We do not store, process, or transmit cardholder data. All payments are securely offloaded to Lemon Squeezy, a PCI-DSS Level 1 compliant provider.
Cloud infrastructure & hosting
Isolated by default, exposed only where necessary.
ISO 27001 data centers
Omnismith runs on Hetzner Cloud. Hetzner data centers hold ISO 27001 certifications, providing an independently audited foundation for physical and operational security.
Network isolation
The platform uses Kubernetes Network Policies, private internal networks, and strict ingress firewall rules that permit HTTPS only. Services are isolated from one another and from the public internet by default.
VPN-only internal access
Internal tooling is not exposed publicly. Administrative surfaces are restricted to VPN-only access.
Data security & architecture
Encrypted end to end, and separated tenant by tenant.
Encrypted at rest
All stateful workloads — PostgreSQL databases and Kafka message brokers — are backed by AES-256 block-level encryption, dynamically provisioned via Longhorn.
Encrypted in transit
TLS 1.3 is enforced across all external endpoints, protecting data as it moves between your clients and the platform.
Strict tenant isolation
Every user and project is isolated within its own dedicated PostgreSQL schema. This strict logical separation is designed to prevent cross-tenant data bleed.
Application security & development
Consistent, automated delivery with a hardened production boundary.
Automated CI/CD deployments
All deployments run through automated CI/CD pipelines, keeping releases repeatable, reviewable, and consistent.
No manual production SSH
Direct manual SSH access to production nodes is prohibited for routine deployments, removing a common source of drift and human error.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in Omnismith, please disclose it to us responsibly so we can investigate and remediate it.
Report a vulnerability
[email protected]Initial response
Within 48 hours
Please provide enough detail to reproduce the issue, and give us reasonable time to remediate before any public disclosure.