Trust & policies
Security
How opheli.ai handles Provider keys, account security, Trust Engine controls, and practical user responsibilities without claiming certifications.
Final legal review required before public launch. This page is professional draft policy content and must be reviewed by qualified counsel before public launch.
Provider Vault
Provider keys are encrypted at rest and handled server-side
Live Provider keys are stored encrypted at rest, used server-side for user-requested Provider calls, and not shown again after save.
Users should rotate or revoke Provider keys directly in the Provider dashboard if they suspect compromise or no longer want opheli.ai to use that Provider account.
Account
2FA and recovery controls help protect access
Where enabled, opheli.ai supports 2FA setup, challenge flows, recovery codes, trusted-device posture, and account security settings.
Users remain responsible for protecting passwords, email accounts, 2FA devices, recovery codes, and Provider dashboards.
Trust Engine
The Trust & Integrity Engine is app-level protection
The Trust & Integrity Engine can record security events, audit high-impact actions, surface system health, throttle sensitive actions, and support Shield Mode or maintenance controls where configured.
These controls are application-level protections for a VPS deployment. They do not replace Nginx rate limits, firewalling, backups, DDoS protection, WAF/edge controls, Provider-side abuse controls, or qualified security review.
No certification claim
No system is perfectly secure
Do not upload secrets unnecessarily. Do not store Provider secrets in Context. Monitor Provider dashboards directly for unexpected usage.
opheli.ai does not claim SOC 2, ISO, HIPAA, GDPR, AI Act, or other certification/compliance status unless separately documented and legally verified.