Compliance

Access Control Policy

Effective March 23, 2026. This policy defines how Oceum manages authentication, authorization, and access to production systems and customer data.

1. Authentication

JWT-based sessions. All authenticated sessions use JSON Web Tokens with a 24-hour expiry. Tokens are stored in browser localStorage and validated on every API request.
Password hashing. All passwords are hashed using bcrypt with 10 salt rounds. Plaintext passwords are never stored or logged.
Multi-factor authentication. MFA via Time-based One-Time Password (TOTP) is available for all accounts and required for production access.
SSO support. Google and Microsoft SSO are supported. Identity provider tokens are verified server-side before granting access.

Oceum enforces a three-tier role-based access control (RBAC) model, checked on every API call:

Owner. Full access to all organization resources. Can manage members, billing, integrations, and delete the organization. Only owners can remove admins.
Admin. Can manage agents, workflows, vault entries, and integrations. Cannot modify billing, remove owners, or delete the organization.
Member. Read access to agents and dashboards. Can interact with the Orion assistant and view logs. Cannot modify configurations or access the vault.

Membership is verified against the database on every request. Role claims in JWTs are not trusted alone — the database is the source of truth.

Token revocation. Logging out invalidates all active sessions via a token_revoked_at timestamp. Any token issued before this timestamp is rejected.
Account lockout. After 5 consecutive failed login attempts, the account is locked for 15 minutes. The lockout is automatic and logged.
Password reset. Password reset tokens are single-use and time-limited. Token replay is blocked by comparing issuance time against the last password update.

Minimum 10 characters
Must contain at least one uppercase letter, one lowercase letter, and one number
Passwords are checked against common breach lists where feasible
Password changes invalidate all existing sessions

Hashed storage. API keys are hashed with bcrypt before storage. Only the key prefix is stored in plaintext for lookup purposes.
Prefix-scoped lookup. API key authentication uses a prefix index for O(1) lookup, avoiding iteration over all keys.
90-day expiry. API keys expire after 90 days and must be rotated. The Security agent monitors key age and alerts before expiry.

Production system access (Vercel, Supabase, GitHub, Stripe) is limited to the founding team.
MFA is required on all provider accounts with production access.
All production access is logged and auditable.
Access reviews are conducted quarterly. Any access no longer required is revoked immediately.

Account deletion. When an account is deleted, all associated data is permanently removed, including agents, workflows, logs, memory, vault entries, integrations, and memberships. Deletion cascades through all related tables.
Membership revocation. Removing a member from an organization is immediate. All active sessions for that user within the organization are invalidated on the next API call via the membership verification check.

Questions about this policy can be directed to hello@oceum.ai.