Privacy architecture

Zero-knowledge.
By design, not promise.

OTIS Intelligence is built on a principle that we should never be able to read your data — even if compelled. This is an architectural guarantee, not a policy statement.

Your data stays yours

We built OTIS so that
we cannot read your data
— even if asked to

Your financial data is encrypted with a key only you hold, stored in your own cloud environment, and never accessible to OTIS Intelligence.

Client-generated encryption keys

Your key is generated in your browser and never transmitted to us. Only you can decrypt your data. We hold only the encrypted ciphertext.

Your storage, your environment

Connect your existing Google Drive, Microsoft OneDrive, Amazon S3, or your own private server. Encrypted data lives where you choose.

IP-locked activation

Your token locks to your network IP at first activation. No lateral movement, no shared instances between organisations.

Delete everything, instantly

Full data purge on demand. One request removes all data permanently. No retention or backup copies on our side.

Verifiable, not just claimed

Technical architecture documentation available to your security team under NDA. The encryption chain is independently auditable.

// What OTIS Intelligence holds about you
Vendor names & spendAES-256 encrypted
Intelligence reportsAES-256 encrypted
Uploaded documentsnot stored
Findings & analysisAES-256 encrypted
Company nameAES-256 encrypted
Number of employeesnot stored
Email addresslogin only
Run countbilling only
✓ Zero client data readable by OTIS Intelligence — cryptographically enforced
// Connect your existing cloud storage
📁
Google Drive
One-click connect via Google
☁️
Microsoft OneDrive
One-click connect via Microsoft
🪣
Amazon S3
Connect your own S3 bucket
🏗️
Self-hosted
Your own private storage server
Everything stored in your environment is encrypted before it leaves your browser. We receive only what is needed to run your analysis.
The key lifecycle

Your key. Not ours.

From generation to use, your encryption key never leaves your environment. Here is exactly what happens.

01

Generated in your browser

When you first activate OTIS, your encryption key is generated entirely within your browser using the Web Crypto API. It never touches our servers.

02

Downloaded to your device

You download the key as a file before proceeding. This step cannot be skipped. If the key is lost, data encrypted with it cannot be recovered — by design.

03

Sent in every request header

When you log in, your key is retrieved from your browser and sent in the X-Client-Key header with every API request. It exists only in memory during your session.

04

Used to encrypt before storage

Before any client data is written to storage, it is encrypted with your key using AES-256-GCM. The encrypted blob is what our servers and your storage provider see.

05

Used to decrypt on read

When you view your data, the encrypted blob is returned to your browser, decrypted with your key locally, and displayed. We never see the plaintext.

Questions about
our privacy model?

Technical architecture documentation available under NDA. Get in touch to discuss.

Contact us →