Privacy by architecture, not by policy.
OmniSight sees connection metadata, never payloads. Your operational data stays on your own infrastructure — we only ever see account and licensing state, never what your endpoints are doing.
What We Will Never Do
OmniSight is a metadata-only platform. We believe you should know where your data is going without looking at what's inside it.
Where Your Data Lives
Three boundaries, clearly separated.
Endpoint Agent
HTTPS-only transport with certificate validation. The agent observes connection metadata — it never redirects, injects, or decrypts traffic.
Your Self-Hosted Server
Local API service and local SQLite event store run entirely on your infrastructure. Events, alerts, and operational data never leave your environment.
OmniSight Managed Services
Limited to account state, signed entitlement leases, and private artifact delivery. No operational data, no event content, and no secrets ever pass through managed services.
Security & Control
Enterprise-grade protection is baked into the core, not bolted on as an afterthought.
JWT Authentication
Short-lived signed sessions with issuer and audience claims, refresh token rotation, and TLS 1.3 enforcement.
Refresh Token Rotation
Automatic token cycling with theft detection and family-based revocation. Stolen tokens are instantly invalidated across the entire session chain.
Session Invalidation
Password changes instantly revoke all active sessions. Token versioning ensures no stale credentials remain valid.
Audit Logging
Immutable logs for every administrative action taken within the platform.
Protection Layer
Rate limiting on all API endpoints, bcrypt password hashing, HttpOnly secure cookies, and security response headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) to mitigate XSS, CSRF, and clickjacking risks.
Agent Security Boundaries
What the agent guarantees, by design.
| Boundary | Guarantee |
|---|---|
| No payload capture | Only connection metadata is collected |
| No TLS interception | No MITM, SSL bumping, or certificate spoofing |
| No traffic modification | The agent observes; it does not redirect or inject |
| Secure transport | HTTPS with certificate validation |
| CVE privacy | Vulnerability matching uses package metadata only — raw CVE detail shows public NVD data, never endpoint files or payloads |
| System metrics privacy | Aggregate numeric values only — no command lines, per-connection tuples, ports, destinations, or secrets |
Want the full technical architecture?
Read the complete security and RBAC reference, including token model, entitlement enforcement, and audit trail detail.