Private previewDesign partner program is open

Security architecture

Architecture your security team can interrogate.

Onterix is being designed around explicit principals, same-or-stricter source access, data-plane credential isolation, destination-aware protection, exact-action approvals, and reconstructable evidence.

WHOActor · subject · agent · clientidentity
WHATCapability · source · resource · payloadscope
WHERERuntime · region · model · recipientdestination
WHYPurpose · policy · approval · reasondecision
PROOFVersions · hashes · refs · outcomeevidence

Security invariants

Controls that do not become paid bypasses.

Baseline tenant isolation, permission checks, approval enforcement, redaction, idempotency, and audit integrity are intended as platform security foundations—not optional shortcuts.

01

Explicit principals

Humans, agents, services, and system jobs are distinct identities with distinct ownership and grants.

02

Intersection, never union

On-behalf-of access intersects the subject, actor, client, credential, source, and tenant policy.

03

Source-native ceiling

When a source can express permissions, the runtime cannot manufacture broader authority.

04

Credential isolation

Agent hosts and model providers never receive downstream connector credentials.

05

Exact-action approval

Approval authorizes one eligible, versioned payload and cannot expand the execution boundary.

06

Safe evidence

Audit records safe summaries, hashes, versions, findings, and refs—not blind copies of sensitive payloads.

Evidence chain

Reconstruct the decision—not just the API call.

A useful audit record connects identity, source permissions, client trust, protection findings, policy, transformations, approval, execution, and outcome without leaking the sensitive values it is meant to protect.

01Request and identity boundintent
02Source and destination resolvedcontext
03Protection providers evaluatedfindings
04Policy and approval recordeddecision
05Execution and result correlatedoutcome

Customer-controlled plane

Keep sensitive state out of the shared service.

Strict deployment modes are intended to keep the content-bearing execution path and its sensitive operational state in the customer environment.

  • Connector credentials and customer database secrets
  • Source content, indexes, chunks, and embeddings
  • Protection findings, token vaults, and quarantined artifacts
  • Workflow payloads, approval evidence, and execution-local state
  • Customer model routes, KMS/HSM bindings, and audit sinks
  • Time-bound, tenant-approved support access only

Trust status

Private preview means saying exactly what is ready.

The architecture and deployment modes on this site are target commitments under active implementation. Onterix does not claim certifications, service levels, production availability, or verified client and connector coverage that have not been completed.

AreaCurrent public statusHow we present it
RuntimeRunnable Phase 0 scaffold and fixturesPrivate preview development
Connectors and clientsReadiness varies; reference and target pathsLabeled per surface
Deployment modesTarget architecture; not generally availablePlanned
Compliance certificationsNo public certification claimNot claimed
Production SLA and recoveryInternal targets, not a customer SLANot claimed

Security review

Interrogate the design before trusting the runtime.

Design partners receive a scoped architecture and security review tied to the workflow, connectors, data classes, providers, and deployment boundary being evaluated.