Privacy And Security
Configure what data can move, what gets redacted, and verify that provider credentials never leave your environment.
Project policy defines what can move, what is retained, and what must stay in the customer environment.
Boundary Model
The public control plane supports cloud and anonymized telemetry modes. Private deployments can keep provider secrets and private payload ownership in the customer environment.
| Boundary | Meaning |
|---|---|
| Cloud control plane | Olyx receives the governed API request and records allowed telemetry |
| Anonymized telemetry | Trace data is reduced according to project policy |
| Customer-managed payloads | Olyx stores references instead of private payloads |
| Private deployment | Runtime and provider secrets remain in the customer-controlled environment |
PII Scrubbing
PII signals are detected and recorded so the project can route, redact, alert, or block according to policy.
Use synthetic values when testing:
Customer email: alex@example.com
Phone: +1 415 555 0101
Synthetic SSN: 123-45-6789Do not use real personal data in demo prompts.
Secret Detection
Secret patterns detect values that look like credentials or tokens. Actions are configured per project.
| Action | Behavior |
|---|---|
alert | Record the signal and continue if policy allows |
redact | Remove or mask matching values before storage or downstream use |
block | Stop execution before the request reaches the model |
Injection Detection
Injection signals identify requests that attempt to override system behavior, extract private instructions, or bypass policy. The dashboard records injection attempts as security signals on traces.
Audit History
Audit and governance views help teams answer who changed what and which requests were affected.
Review:
- project changes
- key changes
- team membership changes
- routing and guardrail changes
- trace and replay decisions
- docs feedback for internal Olyx review
Safe Data Practices
Do:
- use local references for sensitive payloads
- keep provider secrets in customer-managed secret stores where required
- scope API keys to projects
- redact secrets from logs and screenshots
- use private deployment boundaries for private models
Do not:
- place real secrets in trace metadata
- expose API keys in browser code
- assume replay can run in cloud when policy requires local payload ownership
- use public examples with real customer data
Next Steps
- Use Policy Schema for guardrail fields.
- Use Traces to inspect security signals.
- Use Governance for ledger evidence.