Layered controls for tool-enabled AI. EEA-first data residency by design.
Obsigen is designed with layered controls — from transport encryption to content safeguards to sandboxed code execution.
Conversations, files, embeddings and audit logs persist to your tenant — your database, your object store, your SIEM, under your keys. We hold service configuration and operational telemetry only. Minimal-retention by design.
JWT-based authentication using RS256 / ES256 (asymmetric). Signing keys held in KMS / HSM, with configurable session expiry.
Enterprise SSO via SAML 2.0 and OIDC. SCIM provisioning for user lifecycle. MFA enforced for admin access.
Every prompt, tool call, retrieval and policy decision is logged in SIEM-friendly format (JSON / OTLP) — written to your storage, under your retention. EU AI Act Article 12 ready. We provide the audit primitives; you hold the data.
Prompt-injection and jailbreak detection, output safety filters, and policy enforcement on sensitive operations.
Ephemeral containers hardened with gVisor / Firecracker. No network egress, enforced timeouts, per-run teardown. No data persists between executions.
| Layer | Control |
|---|---|
| Customer-held data | Conversations, files, embeddings & logs persist to your tenant — your DB / object store / SIEM, your keys, your retention. We hold service config and operational telemetry only. |
| Authentication | JWT (RS256 / ES256, asymmetric). Signing keys held in KMS / HSM, configurable session expiry. |
| Identity & SSO | SAML 2.0 / OIDC, SCIM provisioning, MFA enforced for admin access |
| Authorization | RBAC with scoped roles, IDP group mapping |
| Audit logging | Every prompt, tool call, retrieval & policy decision logged in SIEM-friendly format (JSON / OTLP), written to your storage. EU AI Act Article 12 ready. |
| Content safeguards | Prompt-injection & jailbreak detection, output safety filters, policy enforcement on sensitive operations |
| Code execution | Ephemeral containers hardened with gVisor / Firecracker — no network egress, enforced timeouts, per-run teardown. No data persists between executions. |
| File handling | MIME checks, size limits, controlled retention under customer policy |
| Transport | TLS 1.2+ (HTTPS), HSTS enforced |
| CORS | Strict origin policy |
| Rate limiting | Redis-based throttling, per-tenant & per-endpoint |
| Secrets | Vault / KMS-managed, rotation enforced, no keys in code or images |
Obsigen is designed to keep persistent data under your control, EEA-first. No data leaves the European Economic Area without explicit configuration.
| Data Type | Stored Where | Notes |
|---|---|---|
| Chat history | MySQL (EEA) | Full control & retention |
| Sessions / rate limits | Redis (EEA) | Fast + configurable TTL |
| Uploaded files | Temp storage (EEA) | Controlled retention |
| Generated artifacts | Local output (EEA) | PPTX, images, code outputs |
| Inference prompts | Transient (EEA inference) | No PII/secrets forwarded |
Our team can provide detailed documentation and discuss your specific requirements.