Security

Our Commitment

Research data is sensitive. Ontelya is designed from the ground up with security as a foundational requirement, not an afterthought. We handle your data with the same rigor you apply to your research.

Infrastructure

• Encryption in transit

  All data transmitted between your browser and our servers is encrypted using TLS 1.3.

• Encryption at rest

  All stored data is encrypted at rest using AES-256.

• Tenant isolation

  Every workspace is logically isolated. Data never leaks between tenants. Every database query is scoped by workspace.

• Secure file handling

  Uploaded PDFs undergo security validation (magic byte verification, corruption scanning) before any processing begins.

• No permanent PDF storage

  By default, PDFs are not stored permanently. Configurable retention policies let you control the data lifecycle.

Authentication (Planned)

Email + password with mandatory TOTP-based multi-factor authentication. Google OAuth as an alternative provider. Server-side session tokens with 24-hour inactivity timeout and 7-day absolute expiry.

AI & Data Usage

Your documents are never used to train AI models. Extraction is performed using dedicated pipeline infrastructure. AI suggestions never auto-promote to verified status. Human verification is always required.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@ontelya.com. We take all reports seriously and will respond within 48 hours.