Trust center

Built for the world's most private balance sheets.

DomusOS holds some of the most sensitive financial data a household ever generates. We treat that responsibility as the core product, not a checkbox. Here's exactly how.

Identity & access

Enterprise sign-on with SSO (SAML, OIDC), passkeys, time-based MFA, hardware tokens, and granular session controls. There are no shared passwords in the system.

Encryption

TLS 1.3 in transit. AES-256 at rest. Database backups encrypted with separate per-tenant KMS keys. End-to-end encrypted team chat is rolling out now — built on the Signal protocol (X3DH + Double Ratchet), with each device publishing its own keys at sign-in. Once live, neither DomusOS nor our infrastructure providers will be able to read message contents.

Aggregation

We never see your bank or brokerage credentials. Authentication happens inside our aggregation partners' secure widgets. We store an opaque access token, scoped to read-only.

AI privacy

We have zero-data-retention agreements with our model providers. Your portfolio is sent to the model at inference time only, never used for training, never logged on the provider side.

Tenancy

Every household and office sits inside its own logical tenant. Row-level security at the database layer enforces isolation. We test for tenant escape on every deploy.

Backups & DR

Point-in-time recovery to any second within the last 35 days. Multi-region object storage for documents. Quarterly disaster-recovery drills with documented RTO ≤ 4h and RPO ≤ 5min.

Vendor management

We rely on a short list of independently-audited sub-processors for hosting, identity, payments, aggregation, and AI inference. Each carries a current SOC 2 Type II report and a signed DPA. The current register is available under NDA on request.

Disclosure

We run a coordinated vulnerability disclosure program. Report a finding to security@domusos.io — we respond within 24 hours and credit researchers in our hall of fame.

Transparency

What we can see — and what we can't.

End-to-end encryption is built to hide message content from us — and it's rolling out now. But there's a category of data — called metadata — that any messaging system has to handle in the clear to route messages at all. We're explicit about it so you know exactly what shows up in a subpoena response.

We CAN see

  • Who messaged whom
  • When each message was sent
  • Message size (within ~16 bytes)
  • Online status of devices
  • Device names you supplied

We CANNOT see

  • Your private keys
  • The contents of any document you've stored
  • What's in your Domi prompts (zero-data-retention with model providers)
  • Message text, attachments, and reactions — once end-to-end encrypted messaging is live (rolling out now)

Group threads are coming soon — see our changelog. Until then, team threads with three or more participants are read-only while we finish MLS group encryption.

Compliance posture

Where we stand, today.

We share an honest status — what's in place, what's on the roadmap, and what's still aspirational. If there's a framework relevant to your jurisdiction that isn't here, ask us.

SOC 2 Type IIOn the roadmap · audit engagement in planning
GDPRGDPR-aligned · DPA available on request
CCPACCPA service-provider terms · privacy rights honored
HIPAABAA available on Practice tier on request
PCI DSSSAQ A · card data handled entirely by a PCI Level 1 payment processor
Responsible disclosure

Found something? Tell us first.

We'd rather know than not know. Email security@domusos.io with details and a proof-of-concept. We acknowledge within 24 hours, fix within an agreed window, and publish credit (or a bounty) once the fix is shipped.

Running a security review?

We'll answer a CAIQ or SIG-Lite questionnaire, send our DPA, and share our sub-processor register under NDA — usually within one business day.