Trust & safety
OneOver keeps you and your data safe.
Audited cloud infrastructure, end-to-end encryption, PCI-compliant payments, and one-click export or delete — and we never train AI models on your prompts or creations.
- SOC 2 Type 2 audited backbone
- Encrypted in transit & at rest
- PCI-compliant payments via Stripe
- Never used to train AI models
- Row-level data isolation
- One-click export & delete
What we mean by trust
Three things we build around
Guardrails baked in
Row-level gates + audited admin access
Every thread and asset is tied to your account with database-enforced access rules so only you can change them. For abuse investigations, trained operators can use elevated internal tools under strict policy—that is narrowly scoped support, not resale of your content.
- Modern OAuth sign-in flows
- Sensitive work stays on the server, never in untrusted browser context
- Audit-friendly operational records where it matters
Upstream isolation
We talk to GPT, Flux, Claude, Ideogram, Grok—they never touch your inbox
Model calls leave our hardened backend with keys we control. Your account identifiers, billing context, auth factors, network signals, and referral metadata stay on our infrastructure unless you deliberately put something in a prompt or upload.
- No silent linking of provider accounts by default
- Guest previews use a minimal server-side footprint
- Bot checks and risk signals protect high-friction flows
Self-sovereignty
Download it, shred it, nuke it
Account Settings includes JSON exports, granular thread wipes, mass media removal with CDN dequeue, and account deletion with billing cancellation. Offline backups and CDN TTLs follow vendor SLAs—see our Privacy Policy for retention detail.
- Portable JSON export with sensible safeguards against bulk scraping
- Removing media queues backend cleanup automatically
- Deleting your account cancels subscriptions through our billing partner
Architecture
HTTPS → Backend APIs → Database & CDN
Your workspace data lives behind database-enforced access rules tied to your account. Inference requests leave our hardened backend with credentials scoped to workloads—not a wholesale copy of your identity. Assistant replies land back in the same access boundary as the session that asked for them.
Flow snapshot
User ⇄ SPA (signed session) SPA ⇄ App data & realtime sync SPA ⇄ Secure backend APIs Backend ⇄ Model providers (prompt payloads) Backend ⇄ Object storage & CDN Stripe ⇄ Billing & subscriptions
Upstream disclosure matrix
We send what models need for inference and safety review. Billing identifiers and internal fraud signals stay on our systems—they are not packaged into upstream payloads by default.
OpenAI GPT & vision stack
Transmitted upstream
Prompts · inline images/docs you attach · tool metadata
Withheld upstream
Account identity, billing context, referrals, and session signals stay on OneOver unless you paste them into content.
Anthropic Claude
Transmitted upstream
Chat turns · optional PDFs/uploads
Withheld upstream
Same category as above unless you include it in what you send.
Google Gemini / Nano stacks
Transmitted upstream
Multimodal inputs you authorize
Withheld upstream
Your OneOver sign-in tokens are not forwarded to Google model APIs by default.
Flux & Ideogram diffusion
Transmitted upstream
Prompt embeddings & reference images you supply
Withheld upstream
Contact info, coarse network signals, and guest identifiers are not bundled into image jobs.
Grok Imagine & third-party video fabric
Transmitted upstream
Video prompts + temporal params
Withheld upstream
Workspace metadata unrelated to the clip you asked for.
| Surface | Transmitted upstream | Withheld upstream |
|---|---|---|
| OpenAI GPT & vision stack | Prompts · inline images/docs you attach · tool metadata | Account identity, billing context, referrals, and session signals stay on OneOver unless you paste them into content. |
| Anthropic Claude | Chat turns · optional PDFs/uploads | Same category as above unless you include it in what you send. |
| Google Gemini / Nano stacks | Multimodal inputs you authorize | Your OneOver sign-in tokens are not forwarded to Google model APIs by default. |
| Flux & Ideogram diffusion | Prompt embeddings & reference images you supply | Contact info, coarse network signals, and guest identifiers are not bundled into image jobs. |
| Grok Imagine & third-party video fabric | Video prompts + temporal params | Workspace metadata unrelated to the clip you asked for. |
Data residency & purge cadence
- Primary database runs on managed infrastructure with backups—destructive deletes propagate on vendor timelines.
- Public media is shared through long, unguessable URLs. If a link leaks, treat it like a secret and replace the file.
- When you delete media, a background cleanup pipeline removes underlying storage objects using tightly scoped infrastructure access.
- Automated retention trims high-volume anti-abuse telemetry over time so datasets do not grow without bound.
Operations
What we document for security reviews
- Separation between everyday app credentials and privileged backend access
- Export and delete primitives in-account (not "email support someday")
- Transparent admin access policy (see our Privacy Policy)
- Stripe as sole cardholder environment