Compliance

Data protection and cryptography

• Data in Transit: All data transmitted between clients, external APIs (Plaid, Lithic), and internal services is encrypted using TLS 1.2 or higher. Internal routing is secured via Caddy TLS.
• Data at Rest: All persistent storage, including the primary PostgreSQL database, utilizes AES-256 encryption at the volume level (AWS EBS).
• Column-Level Encryption: Highly sensitive credential materials, including financial access tokens and OAuth tokens, are encrypted at the column level within the database.
• PCI-DSS Scope Minimization: Ontic does not log, store, or process raw Primary Account Numbers (PAN) or CVVs. Only non-sensitive UUID tokens provided by card issuer APIs are persisted.

Identity and access management

Access to production systems is governed by the Principle of Least Privilege and strict authentication requirements.

• Infrastructure Layer: AWS Identity and Access Management (IAM) is the centralized authority for all cloud resources, with access granted strictly via defined IAM Roles.
• Database Layer: Strict PostgreSQL Role-Based Access Control with Row Level Security (RLS) policies ensures users can only access their own tokenized data.
• Multi-Factor Authentication (MFA) is enforced for all human access to AWS, database, and GitHub environments.
• Consumer authentication is managed via secure session tokens with Multi-Factor Authentication support.

Zero Trust architecture

Ontic operates on a Zero Trust model. Network locality (e.g., being inside the VPC) does not grant implicit access to services or data.

• All external and internal service requests must be explicitly authenticated and authorized.
• The local inference engine (Phi-4 via vLLM) operates in a strictly segregated, air-gapped internal subnet and cannot initiate outbound external requests.
• Services are deployed within a Virtual Private Cloud (VPC) with strict network isolation.

Non-human authentication

• External APIs: All interactions with financial data providers and card issuers utilize scoped OAuth tokens or secure API keys encrypted at rest.
• Internal Routing: All internal microservice traffic is routed through Caddy, which automatically provisions and enforces TLS 1.2+ certificates for encrypted transit.

Provisioning and de-provisioning

• Access to production environments requires explicit approval from the Lead Engineer and is provisioned through centralized IAM roles, never via shared local accounts.
• Automated De-provisioning: Disabling an individual’s centralized Identity Provider (IdP) account automatically cascades to revoke all AWS IAM, database, and GitHub access simultaneously.

Vulnerability management

• Automated dependency scanning (e.g., Dependabot) continuously monitors code repositories for known vulnerabilities in third-party libraries.
• Operating systems and managed services are monitored for critical security updates, which are applied promptly according to severity.

Periodic access reviews and audits

• Quarterly Reviews: The Lead Engineer conducts a quarterly audit of all active IAM roles, database user privileges, and active API keys.
• Audit Logging: AWS CloudTrail and database auth logs are enabled and retained to provide an immutable audit trail. Unnecessary or dormant access is immediately revoked.

Incident response

In the event of a suspected security breach or unauthorized data access, Ontic executes the following protocol:

• Containment: Isolate affected systems and revoke compromised access tokens immediately.
• Investigation: Determine the scope and nature of the breach using system logs.
• Notification: Notify affected consumers, regulatory bodies, and API partners within legally and contractually mandated timeframes.