Security
How we protect your data.
Security is a practice, not a badge. This page describes the measures currently in place. It is intentionally specific about what we do — and avoids claiming certifications we don't yet hold.
Encryption in transit
All traffic is served over HTTPS/TLS with HTTP Strict Transport Security (HSTS) enabled. Data moving between your browser and Omnicost is encrypted.
Infrastructure
Omnicost runs on Cloudflare's global edge — Workers for compute, D1 for the database, and R2 for object storage — benefiting from Cloudflare's network-level DDoS protection and isolation.
Browser hardening
We set defensive response headers including X-Content-Type-Options, X-Frame-Options (clickjacking protection), Referrer-Policy, and a restrictive Permissions-Policy.
Authentication & access
Sessions use signed tokens, and integrations use scoped, least-privilege API keys rather than shared credentials. Administrative surfaces are gated and not publicly indexable.
Data minimization & privacy
We collect only what the product needs to function. Personal data handling follows our Privacy Policy, with dedicated privacy and data-protection contacts for requests.
Cost-guarded AI
AI features run behind per-account budgets, rate limits, and kill switches — protecting both spend and abuse exposure on automated endpoints.
Responsible disclosure
Found a vulnerability? We appreciate coordinated disclosure. Email us with details and steps to reproduce, and we'll work with you on a fix. Please don't access other users' data or disrupt the service while testing.
Report a security issue: security@omnicost.com
For privacy and data requests, see our Privacy Policy.