Trust Center — Oceum

Security Overview

Oceum is built security-first with AES-256-GCM encryption, row-level security on all 32 tables, MFA/2FA enforcement, and 4 completed audit rounds with 47 findings remediated. SOC 2 Type II certification is in progress.

View Full Security Architecture

Compliance Documents

Policies, procedures, and governance frameworks supporting Oceum's SOC 2 readiness posture. Each document is maintained, versioned, and reviewed quarterly.

Incident Response Plan

Detection, escalation, containment, and post-mortem procedures.

Change Management

Code review, CI/CD pipeline controls, and deployment governance.

Data Classification

Sensitivity tiers, handling requirements, and retention policies.

Risk Register

Identified risks, likelihood assessments, mitigations, and residual risk.

Access Control

RBAC, least-privilege enforcement, and access review cadences.

Vendor Management

Third-party risk assessment, due diligence, and ongoing monitoring.

Subprocessors

Infrastructure and service providers that process customer data.

Data Processing Agreement

GDPR-aligned DPA covering data processing obligations and rights.

Data collection, usage, retention, and individual rights.

Service agreement, SLAs, and customer obligations.

Architecture Highlights

Security controls are built into Oceum's architecture at every layer -- from credential storage to agent execution to tenant isolation.

Blind-Relay Vault

Credentials are encrypted with AES-256-GCM and injected at execution time via a blind relay. Oceum operators never see plaintext secrets. Keys are derived per-organization.

AES-256-GCM

Governed Execution

Every agent action passes through approval workflows and action whitelists. No agent can perform unauthorized operations -- all decisions leave an auditable trail.

APPROVAL WORKFLOWS

Multi-Org Isolation

Row-Level Security (RLS) enforced on all 32 tables with mandatory org_id scoping. Every query -- including service-role operations -- is org-bound. No cross-tenant data leakage.

RLS + ORG_ID

Session Security

JWT tokens with 24-hour expiry and 30-minute inactivity timeout. Multi-factor authentication supported across all accounts. Sessions are revocable and auditable.

JWT + MFA

Infrastructure

Production infrastructure is designed for security, reliability, and global performance.

Compute: Vercel serverless functions with global edge network distribution. No persistent servers to patch or maintain.
Database: Supabase Postgres (us-east-1) with automated backups, point-in-time recovery, and connection pooling via PgBouncer.
CI/CD: GitHub-based pipeline with automated npm audit for dependency vulnerabilities and gitleaks for secrets scanning on every commit.
Availability: 99.9% uptime SLA backed by Vercel's edge infrastructure and Supabase's managed Postgres availability guarantees.
Encryption: TLS 1.3 in transit. AES-256-GCM at rest for vault data. Database encryption at rest via Supabase managed encryption.
Monitoring: Sentry error tracking, Vercel analytics, structured JSON logging with audit trails for all agent decisions and credential access.

Security Questions?

Our team is available to discuss Oceum's security architecture, provide additional documentation, or walk through our compliance posture.

Email security@oceum.ai

NDA-gated security documentation, penetration test reports, and SOC 2 audit artifacts are available upon request.