Security

How we protect your AI workforce.

• Encryption at rest: every credential, session cookie, and OAuth token is encrypted with AES-256-GCM using a key derived from a per-environment secret.
• Encryption in transit: HTTPS with HSTS preload on every request. Let's Encrypt certificate, auto-renewing.
• Employee isolation: each AI employee only has access to credentials, sessions, memory, and connected apps explicitly granted to it. Cross-employee access is impossible at the query level.
• Passwords: we never see your passwords. You log into sites inside our built-in browser — the plaintext never touches our application code.
• Auth: bcrypt-hashed passwords, JWT in httpOnly Secure SameSite cookies, brute-force lockout, rate limiting on every sensitive endpoint.
• Headers: strict CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy on every response.
• Audit log: every action your employees take — and every session read — is logged with timestamp, tool, and cost.
• Wallet: atomic SELECT FOR UPDATE charging prevents race conditions and double-spending of credits.
• Database: PostgreSQL 16 on a local network interface only — not exposed to the public internet.
• Sandbox: the live browser runs in an isolated Chromium context bound to localhost, never reachable from outside the server.

Report security issues to security@0g0.ai — we respond within 24 hours.