Compliance
Omnodex is designed so that organizations operating under regulatory frameworks can use it without expanding their compliance surface. This page explains how Omnodex’s architecture relates to common compliance requirements.
Architecture overview for compliance
Section titled “Architecture overview for compliance”Omnodex is a security observability tool that captures AI agent activity. Understanding what data it handles, and where, is key to compliance evaluation.
| Component | Where it runs | What data it touches |
|---|---|---|
| Interceptors | Your machine | Sees tool call metadata (tool names, parameters, timing) |
| Event log | Your filesystem | Stores event records locally |
| Rule engine | Your machine | Analyzes events for risk patterns |
| Dashboard | Your machine (localhost) | Displays events and risk findings |
| Cloud sync (Hosted tier) | Your machine -> cloud | Encrypted on your machine before upload |
| Cloud storage (Hosted tier) | Omnodex cloud (R2) | Encrypted blob only - we cannot read it |
Omnodex does not process, store, or transmit Protected Health Information (PHI) as a primary function. However, if your AI agents handle PHI-adjacent data (e.g., querying medical databases, accessing patient records), Omnodex’s event log may capture tool call parameters that contain or reference PHI.
Free/Community tier: All data stays on your machine. No data leaves your infrastructure. Omnodex is not a business associate in this scenario because there is no data sharing.
Hosted/Pro/Enterprise tiers: The sync encryptor uses AES-256-GCM with client-side key derivation (Argon2id). Data is encrypted on your machine before upload. The Omnodex cloud never holds plaintext, encryption keys, or the ability to derive them. We cannot read your data. However, if your compliance program requires a Business Associate Agreement (BAA) for any vendor that touches encrypted PHI, contact us to discuss.
Practical guidance: If your agents handle PHI, consider keeping Omnodex on the free tier (fully local) until your compliance team has evaluated the cloud tier’s encryption architecture.
SOC 2 compliance report generation is an Enterprise tier feature. It provides automated evidence collection for SOC 2 Type II audits, covering AI agent access patterns, credential usage, and data flow controls.
For organizations undergoing SOC 2 audits today, Omnodex’s event log and risk reports serve as evidence of AI agent monitoring controls. The append-only event log provides tamper-evident audit trails.
Omnodex’s event log may capture personal data if your AI agents process it (e.g., tool calls that query user databases, process emails, or access CRM records).
Data minimization: Omnodex captures tool call metadata, not the full content of agent conversations. The level of detail captured depends on what the AI platform includes in hook payloads - typically tool names, parameters, and timing.
Right to erasure: The omnodex clear command deletes all event log data and the read model. For selective erasure, events are stored as individual JSONL lines in session-scoped files that can be manually edited.
Data residency (free tier): All data stays on your machine. No cross-border transfer.
Data residency (cloud tiers): Encrypted sync blobs are stored in Cloudflare R2. Contact us if you need specific region guarantees.
Privacy-preserving telemetry: The feature extractor (Pro tier) uses HMAC-SHA256 hashed identifiers and statistical aggregates only. No raw tool names, file paths, credentials, or conversation content leave your machine.
Data handling summary
Section titled “Data handling summary”| Concern | Free tier | Cloud tiers |
|---|---|---|
| Data leaves your machine | Never | Only as encrypted blobs |
| Omnodex can read your data | N/A | No (zero-knowledge encryption) |
| Audit trail | Local JSONL event log | Local + encrypted cloud backup |
| Data deletion | omnodex clear | omnodex clear + cloud blob expiry |
| Key management | N/A | Client-side only (Argon2id KDF) |
Questions
Section titled “Questions”If you need help evaluating Omnodex for your compliance program, contact us. We’re happy to work with your compliance or legal team directly.