OSP.net

Security architecture

Why OSP is safer by design.

Your agent isn’t an app on your laptop and it isn’t a seat on a shared bot. It’s an isolated cloud service with its own walled-off container, its own data, and secrets it can read but never keep. Here’s exactly how that works — in plain terms.

Governance on every messageOne container per customerOAuth, never your passwordEncrypted secrets vaultRow-level data isolation
Default-on · included free

The governance layer

Programmable guardrails on every message — in, out, and before every action.

Most AI tools just tell the model to behave and hope it listens. OSP doesn’t. Every customer gets a separate governance layer wrapped around their agent that enforces policy independently of the model. Every incoming message is inspected before the agent sees it, every reply is checked before it leaves, and every sensitive action is gated before it runs — and every decision is written to an audit log. It’s on by default for every customer, included free. Not an upsell, not an add-on: secure by design.

Here's what's protecting you

Every message your agent handles runs through these checkpoints before it reaches the model — and before any reply comes back.

Message in
What someone sends your agent
Injection blocked
Stops "ignore your rules…" attacks
PII redacted
SSNs, cards, emails, secrets
Safe model call
The model only sees clean, safe input
Reply
Checked on the way out, too
How the three settings differ
Disable
Lean● your setting
Full
Block prompt-injection attacks
Redact structured PII (SSN, cards, emails)
Detect names & locations
No guardrails — raw model.Recommended for most agents.Strictest — adds name/location.
What comes in · input guardrails
  • Prompt-injection & jailbreak detection and blocking — caught before the agent ever sees the message
  • Topic & scope control — you define what it will and won’t discuss; off-topic is refused, not just discouraged
  • Abuse & off-topic filtering on the way in
What goes out · output guardrails
  • PII redaction — SSNs, card numbers, secrets and contact details scrubbed from replies
  • Unsafe & harmful-content blocking before anything reaches you
  • Hallucination / fact-check guard on what the agent claims
What the agent does · action guardrails
  • Approval required before sensitive actions — sending money, deleting data, emailing on your behalf
  • Tool allow-lists — the agent can only call what you permit
  • Arguments and results validated before they touch outside systems

Conversation & retrieval guardrails

Dialog rules keep conversations on approved flows, and anything the agent retrieves to answer you is checked before it’s used — so a poisoned document can’t steer it.

Audit log of every decision

Every guardrail trigger — what was allowed, altered, or blocked, and why — is logged. You can see exactly what the governance layer did, on every message.

Fail-safe by default

If a guardrail can’t run, the system fails safe rather than waving a message through ungoverned. Enforcement is per-message — it can’t be skipped.

This is a real enforcement layer that runs as separate, deterministic checks around the model — not instructions buried inside a prompt that a clever attacker can talk past. It’s model-agnostic, so it protects you no matter which model your agent runs on. Read the engineering deep-dive →

Runs in the cloud, not on your machine

Nothing runs on your laptop or your phone.

The OSP agent is a service that lives in the cloud. Your devices are just windows you talk through — Telegram, Slack, email. The work, the keys, and the memory never touch the machine in your pocket. Lose your phone and your agent keeps running, untouched.

One private container per customer

Your own sealed box. Walls, not promises.

Every customer gets their own isolated container — its own virtual computer, on its own network segment, firewalled off from every other customer. There is no shared runtime where one customer’s agent could reach into another’s. The isolation is architectural, not a policy we ask people to respect.

The platform never sees your passwords

Connect Google, Microsoft, or any app — without handing us a password.

When you connect an app — Gmail, Calendar, Drive, Outlook, Teams, Slack, your CRM, and any other app you connect — you sign in with that provider directly using OAuth. Your password goes from you straight to the provider — never through OSP. All we ever receive is a scoped, revocable token: permission to do specific things, that you can switch off at any time from the provider’s settings. The same is true for every OAuth integration, not just Google and Microsoft.

Secrets encrypted in a vault

Keys are injected at boot — and never written down.

Your model API keys and channel tokens live encrypted in a secrets vault. They are injected into your container in memory, only at runtime, only when it starts. They are never written to a database column, never baked into the agent’s image, never committed to code, and never printed to logs. When the container stops, the in-memory copy is gone.

Database isolation

Row-level security: your rows are yours.

Beyond the container walls, your data is isolated at the database layer too. Postgres row-level security policies mean every query is scoped to its owner automatically — there is no query that can return another customer’s rows, even by mistake. Two layers, both required: network isolation for the runtime, RLS for the data.

Leak-proofing in the pipeline

Every release is scanned before it ships.

Our build pipeline runs automated branding and secret scans as a hard gate on every release. If a credential or anything that shouldn’t be there slips toward a shipped image, the build fails — it doesn’t go out. Safety is enforced by the machine, not left to someone remembering to check.

The honest part

The same common-sense rule you already live by.

Here’s the truth no security page should hide: just like your phone, your email, and your bank login, if someone gets your login, they can get in. That’s not unique to OSP — it’s the same risk surface you already trust every single day. The good news: protecting it is the same habit you already know.

Protect your login

Turn on two-factor authentication and use a strong, unique password — exactly as you would for your bank.

You can revoke anytime

Because connections use scoped tokens, you can pull access from your provider’s settings the moment you want to.

OSP adds isolation on top

On top of that familiar login, you get your own container, your own data walls, and a vault for your keys.

For engineers & security teams

Need the technical details?

This page is the plain-English version. If you’re a security engineer, architect, or CISO evaluating OSP, the architecture deep-dive covers tenancy isolation, the OAuth broker, secrets handling, row-level security, the full guardrail catalog, supply-chain controls, and an honest shared- responsibility model.

Read the architecture deep-dive →

Secure by architecture. Live in five minutes.

Your own container, your own data walls, your keys in a vault — from the first message.

Deploy your agent →Architecture deep-dive
Latest: v0.4.16
Security architecture — OSP.net