0h1bai.co
Trust

Tenant isolation, audit chains, and a sub-processor list we publish.

We treat security as the moat. Foundation model improvements erode orchestration cleverness; they don't erode an honest compliance posture.

Tenant isolation

Schema-per-tenant

Per-tenant Postgres schema, separate IAM creds, separate vector namespace, per-tenant KEK in AWS KMS.

Audit retention

7 years

Append-only ledger with cryptographic chaining; periodic anchoring to S3 Object Lock for tamper-evidence.

Code sandbox

Firecracker microVMs

E2B-based hardware virtualization for agent-generated code execution. Container isolation is insufficient.

Compliance roadmap

We are pre-launch. Below is the timeline we've committed to. Numbers are conservative — we'd rather underpromise.

GDPR / UK-GDPR baseline (controller / processor split, DPAs, SCCs)At launch
CCPA / CPRA + state privacy regimesAt launch
SOC 2 Type IWithin 6 months of launch
SOC 2 Type IIWithin 18 months of launch
Annual third-party penetration testOngoing
ISO 27001Year 2
HIPAA — out of v1 scope, architecture does not preclude later certificationYear 2+

Sub-processors

We publish this list. 30-day notice before adding a sub-processor. Listed below are current and planned vendors as of v0.1.

VendorPurposeRegion
AnthropicFoundation model (Claude Opus/Sonnet/Haiku)US
OpenAIFoundation model (GPT-5 series)US
Google CloudFoundation model (Gemini)US
AWSCompute, Postgres (Aurora), S3, KMSUS-East / EU-West
CloudflareEdge, CDN, WAF, R2 object storageGlobal
VercelMarketing site + child-company app hostingGlobal
StripePlatform billing (Stripe Billing + Stripe Tax)US / EU
PersonaIdentity verification (KYC)US
AnrokSales tax monitoring and remittanceUS
FirstbaseDelaware LLC formation APIUS
WorkOSAuth (SSO, magic link)US
Temporal CloudDurable workflow executionUS
Datadog / Better StackLogging, metrics, tracesUS / EU
Langfuse (self-hosted)LLM observabilitySelf-hosted, US

Prohibited use (summary)

We refuse certain business categories at intake. This is enforced by a classifier, not by good intentions. See the full Acceptable Use Policy for details.

Healthcare-adjacentRegulated financial servicesAnything for minors (COPPA)Licensed professionsPhysical goods / FDA-regulatedTwo-sided marketplacesB2B enterprise sales >$10k ACVHardwarePolitical / political adsGamblingAdult contentFirearms / weaponsControlled substancesCrypto / tokenizationSecurities solicitationCold outbound at scale

Security disclosures

Disclosure inbox: security@0h1bai.co — PGP key forthcoming.

Response SLA: Acknowledgement within 48h. Initial triage within 5 business days. Resolution timeline depends on severity.

Bug bounty: Private program launching alongside SOC 2 Type I. Prompt-injection findings are explicitly in scope.