Enterprise-grade security, built in from day one

Compliance & Certifications

Olakai is actively pursuing formal compliance certifications while maintaining rigorous security practices across all infrastructure and operations.

Hosting & Infrastructure

Olakai is hosted entirely on Amazon Web Services (AWS) in the us-east-1 region, using isolated private networking throughout.

• Compute: Containerized Next.js applications on AWS ECS Fargate with auto-scaling (2–6 instances based on CPU/memory thresholds)
• Database: Amazon RDS PostgreSQL 16 in a private subnet with no direct internet access; Multi-AZ enabled in production for high availability
• Storage: Amazon S3 with server-side encryption for all document storage
• CDN: Amazon CloudFront for static asset and document delivery
• Email: Amazon SES for transactional email
• Network: VPC with public/private subnet isolation; database and application containers reside in private subnets, accessible only via internal routing

Encryption

All data is encrypted in transit and at rest using industry-standard algorithms.

Access Control

Olakai uses Role-Based Access Control (RBAC) with strict multi-tenant isolation enforced at every layer.

Customer Roles

Multi-Tenant Isolation

Every database query is scoped by accountId. No customer can access another customer’s data. This is enforced at the application layer across all repositories, use cases, and server actions, supplemented by automated tests and query guards.

Authentication Methods

• Web Application: OAuth 2.0 / OIDC via Okta or Google, or email/password credentials
• SDKs: API key authentication (x-api-key header)
• CLI: OAuth 2.0 Device Flow (RFC 8628) with 30-day JWT tokens
• Enterprise Provisioning: SCIM 2.0 with bearer token authentication
• Internal Operations: Olakai staff use a separate MFA-protected console. Support sessions grant time-limited (4-hour) access via single-use tokens, fully audited with initiator identity, target account, and IP address.

Network Security

Our network architecture minimizes attack surface through strict subnet isolation and controlled egress.

• Public endpoints: Only Application Load Balancers are internet-facing (HTTPS 443 only)
• Private subnet: Application containers, scheduled tasks, and database have no inbound internet access
• Outbound traffic: Routed through NAT Gateway; limited to required external services (AI providers, Stripe, SSO, monitoring)
• Rate Limiting: Sliding window rate limiting on all API endpoints via Upstash Redis, with fail-open graceful degradation and alerting
• CORS: Dashboard endpoints enforce same-origin policy; monitoring API allows cross-origin requests with API key required

Data Privacy & Governance

Customer data is never shared across tenants and AI providers process data via API only — no persistent storage at the provider level.

Availability & Reliability

Olakai is designed for high availability with automated scaling, redundancy, and graceful degradation.

Audit & Monitoring

Every significant action in the platform is logged with full attribution — who did what, when, and from where.

• Configuration Changes: All changes to agents, workflows, KPIs, feature flags, and policies logged in the ApplicationChangeLog with user attribution and timestamps
• Support Access: Every support agent login recorded with initiating user, target account, token ID, and client IP
• Login Tracking: IP address and timestamp recorded for every user login
• Billing Events: Stripe webhook events stored with idempotency keys for audit and deduplication
• Infrastructure Logs: Application and scheduled job logs stored in Amazon CloudWatch

Security Testing

Olakai maintains a layered security testing program combining automated scanning with manual penetration testing.

Incident Response

Olakai maintains a documented incident response process ensuring timely detection, containment, and customer communication.

• Detection: Real-time alerting via Sentry (application errors), CloudWatch (infrastructure anomalies), and Dependabot (dependency vulnerabilities)
• Classification: Incidents classified by severity (Critical, High, Medium, Low) based on scope of impact, data sensitivity, and customer exposure
• Response: Defined escalation path with designated incident leads responsible for containment, root cause analysis, and remediation
• Communication: Affected customers notified promptly with incident details, impact assessment, and remediation steps taken
• Post-Incident Review: All significant incidents undergo a post-mortem documenting root cause, timeline, corrective actions, and preventive measures

Vendor Security

All vendors are evaluated for security posture and held to compliance standards appropriate for their role in our stack.