Enterprise grade security for regulated environments.
SOC 2 Type II certified. Flexible deployment options (cloud-hosted, private VPC, or fully on-premises). Your data stays in your control.
What you need to know.
Oxus is built on the same standards audit teams apply to the systems they review: traceable, access-controlled, and defensible at every step.
SOC 2 Type II
Final report and supporting documentation available at trust.oxus-ai.com.
US-only data residency
Customer data is stored exclusively in the United States. No cross-border data transfer.
Dedicated tenant isolation
Each customer is provisioned a dedicated database and dedicated object storage bucket. No shared data stores between tenants.
No AI training on your data
Customer data is never used to train or improve AI models.
Flexible enough for your environment.
Not every organization can put audit data in the cloud. Oxus supports cloud-hosted, private VPC, and fully on-premises deployments, with equivalent data storage options.
Deployment options
Dedicated, logically isolated environment fully managed by Oxus. Fastest to deploy, lowest operational overhead.
Deploy into your approved private cloud or VPC with tighter network controls, security tooling alignment, and restricted egress.
Oxus runs entirely within your controlled environment. Application services, data, and AI processing stay inside your network boundary.
Data storage options
Raw evidence files and platform metadata stored in a customer-isolated Oxus environment.
Raw evidence files in your storage; Oxus manages platform metadata and workflow state.
Both raw files and platform metadata stored in customer-controlled storage where required.
Controls you can audit.
Audit teams hold their vendors to the same standard they apply to their own systems. Oxus is built to meet that bar.
SSO
Customers can connect their identity provider via SSO. MFA is supported and available for all accounts.
Role-based access
Separate roles for admins, members, viewers, and auditees. Access is scoped based on role.
Encryption
AES-256 encryption at rest across all databases and object storage. TLS 1.2+ in transit.
Vulnerability management
Dependency scanning and DAST run continuously. Public-facing systems scanned quarterly. Annual penetration test.
How AI uses your data.
Oxus uses AI to process audit evidence. Here is exactly how that works, and what we do not do.
No training on your data
Customer data is not used to train or improve AI models, by Oxus or any of our AI subprocessors. This is enforced by provider data processing agreements.
Flexible AI deployment
Oxus can call a customer-hosted LLM, use customer-managed external API credentials, or manage the LLM provider directly, depending on your requirements.
AI augments, auditors decide
AI reduces manual work in evidence gathering, testing, and documentation. Final approvals and sign-offs remain with your team.
Subprocessor agreements
All AI subprocessors are engaged under DPAs covering confidentiality, security, and data-use restrictions.
Full documentation in our trust center.
Our trust center includes our SOC 2 Type II report, security policies, subprocessor list, and penetration testing summaries. We also complete security questionnaires on request.