Security at OBTO
OBTO is the Glass Box AI platform — designed, built, and operated with security at its core. We protect your data by monitoring, detecting, and proactively preventing security incidents, and we give you the access controls and audit trails to trust autonomous agents in production.
Encryption everywhere
All connections use TLS 1.2+ (HTTPS). Application artifacts and user data are encrypted at rest with AES-256.
Role-based access & MFA
Fine-grained RBAC for users, teams, and organizations, with multi-factor authentication via Google OAuth.
Tenant isolation
Strict multi-tenant data isolation. Your artifacts and workloads are never shared with or visible to other users.
Glass Box audit trails
Every agent action, deployment, and token cost is traced and queryable — full observability, no hidden operations.
Domain-restricted MCP
MCP server connections are restricted to *.obto.co domains to prevent unauthorized access.
No training on your data
We never train machine-learning models on your code, prompts, or artifacts. Your data is yours.
Infrastructure
OBTO runs on managed Kubernetes clusters by default. Enterprise customers can port the entire runtime — workloads, workflows, and data — to their own private cloud or bare-metal Kubernetes, keeping data within their own infrastructure and jurisdiction.
Your responsibilities
Security is shared. You're responsible for reviewing and testing AI-generated code before exposing it to production, configuring appropriate access controls and policy guardrails, and safeguarding any third-party credentials you connect. See our Responsible Use Policy and Privacy Policy for details.
Responsible disclosure
Found a vulnerability? We appreciate responsible disclosure and will work with you to resolve it quickly.
Report security issues to [email protected]. For general questions, use our contact form.