Octyl octyl
Zero-Knowledge Architecture

Security by design,
not by promise

Octyl's architecture makes it structurally impossible for us to access your code, secrets, or AI conversations. Every claim below is verifiable — not just a privacy policy.

Zero-knowledge encryption flow Read the security whitepaper

What Octyl cannot see

Every path between you and your AI provider is sealed. Here is exactly what our servers never touch.

Your AI API keys Injected from sealed workspace directly to provider
Your prompts and AI responses Never routed through Octyl servers
Your source code Lives in your workspace pod and git repo only
Your secrets vault values AES-256-GCM encrypted client-side before storage
Workspace memory at runtime Hardware-enforced Nitro isolation
Terminal commands and output E2E encrypted via NaCl box (X25519)

Four trust layers

Defense in depth, from encryption at rest through hardware isolation at runtime.

Zero-Knowledge Encryption

Secrets are encrypted with AES-256-GCM in your browser before they ever leave your device. Octyl stores only ciphertext — we never hold the key.

Learn more

AWS Nitro VM Isolation

Every workspace runs inside a hardware-isolated Nitro enclave. Memory and CPU are physically separated — not even Octyl operators can attach to a running instance.

BYOK — Direct Provider Billing

Your API keys travel from your sealed workspace directly to the AI provider. Octyl never proxies, logs, or caches the request. Your bill is between you and your provider.

E2E Encrypted Access

Terminal sessions are end-to-end encrypted using NaCl box with X25519 key exchange. Only your browser and your workspace can read the stream — Octyl infrastructure sees ciphertext only.

Security resources

Dig into the details. Every architecture decision is documented and auditable.

Zero-Knowledge Encryption Flow

Step-by-step walkthrough of how secrets are encrypted, stored, and injected — without Octyl ever holding a key.

Read the docs

Security Whitepaper

Full architecture document covering threat model, encryption primitives, isolation guarantees, and compliance posture.

Download PDF

Threat Model

Adversary classes, attack surface analysis, and mitigations mapped to each trust layer in the stack.

View threat model

Compliance & certifications

Meeting you where your security requirements are.

SOC 2 Type II

Audit in progress

Target Q3-Q4 2026

FedRAMP Moderate

Roadmap

GovCloud-ready now

HIPAA

BAA available

Contact enterprise@octyl.ai

Need a custom security review or have questions about our architecture? Reach out to enterprise@octyl.ai.

Ready to build with confidence?

Zero-knowledge isolation on every plan, including free.

Start Building Free View Pricing