Trust Center

Privacy by architecture, not by policy.

OmniSight sees connection metadata, never payloads. Your operational data stays on your own infrastructure — we only ever see account and licensing state, never what your endpoints are doing.

visibility_off

What We Will Never Do

OmniSight is a metadata-only platform. We believe you should know where your data is going without looking at what's inside it.

closeNo TLS Interception
closeNo MITM Behavior
closeNo Payload Extraction
checkConnection Metadata Only
shield
Metadata Secured

Where Your Data Lives

Three boundaries, clearly separated.

sensors

Endpoint Agent

HTTPS-only transport with certificate validation. The agent observes connection metadata — it never redirects, injects, or decrypts traffic.

dns

Your Self-Hosted Server

Local API service and local SQLite event store run entirely on your infrastructure. Events, alerts, and operational data never leave your environment.

admin_panel_settings

OmniSight Managed Services

Limited to account state, signed entitlement leases, and private artifact delivery. No operational data, no event content, and no secrets ever pass through managed services.

Security & Control

Enterprise-grade protection is baked into the core, not bolted on as an afterthought.

verified_user

JWT Authentication

Short-lived signed sessions with issuer and audience claims, refresh token rotation, and TLS 1.3 enforcement.

3
RBAC Roles
12
Permissions
sync_lock

Refresh Token Rotation

Automatic token cycling with theft detection and family-based revocation. Stolen tokens are instantly invalidated across the entire session chain.

person_off

Session Invalidation

Password changes instantly revoke all active sessions. Token versioning ensures no stale credentials remain valid.

security

Audit Logging

Immutable logs for every administrative action taken within the platform.

Agent Security Boundaries

What the agent guarantees, by design.

BoundaryGuarantee
No payload captureOnly connection metadata is collected
No TLS interceptionNo MITM, SSL bumping, or certificate spoofing
No traffic modificationThe agent observes; it does not redirect or inject
Secure transportHTTPS with certificate validation
CVE privacyVulnerability matching uses package metadata only — raw CVE detail shows public NVD data, never endpoint files or payloads
System metrics privacyAggregate numeric values only — no command lines, per-connection tuples, ports, destinations, or secrets

Want the full technical architecture?

Read the complete security and RBAC reference, including token model, entitlement enforcement, and audit trail detail.