Trust posture

Honest posture for an alpha platform.

We don’t claim certifications we don’t have. This page tells you exactly what OwnLLM does with your data today, what’s on the post-alpha roadmap, and where customer-specific commitments can be negotiated by contract.

Stage Private alphaSecurity contact security@ownllm.comDisclosure 90-day coordinated

Posture — what we commit to today.

TENANCY

Isolated runner per job.

Every training job runs in its own disposable container on a dedicated GPU. No shared state with other customers.

YOUR DATA

Never trains our base.

Your corpus and any future inference traffic are never used to improve our base models. DPA draft available on request.

DATA LIFECYCLE

Dataset wiped after training.

The training dataset is removed from the runner the moment a job completes. The adapter artifact is retained for download.

EXIT

Weights are yours.

Every completed job produces a downloadable LoRA adapter in standard safetensors format. Self-host on any compatible stack.

Compliance — posture, not badges.

OwnLLM is an alpha platform. No SOC 2 report has been issued yet, and we’re not going to claim otherwise. The table below is where each framework stands today.

SOC 2 · TYPE I
Roadmap
Scoped for the platform’s first post-alpha cycle
SOC 2 · TYPE II
Roadmap
Begins after Type I report is issued
ISO 27001
Roadmap
Evaluating certifying bodies
GDPR
Working toward
Draft DPA covering EU data available on request
HIPAA
Not pursued in alpha
Available by contract on Enterprise engagements
FedRAMP
Not pursued
Contact us for regulated deployments
Customers evaluating OwnLLM for regulated use cases can request the current posture document, subprocessor list, and DPA draft via the contact form. Named commitments are negotiable on Enterprise engagements.

Data handling.

At rest

Datasets and adapter artifacts live in object storage with server-side encryption. Credentials and secrets are encrypted at rest in the database.

  • Dataset bytes in S3-compatible storage
  • Adapter safetensors retained on your account
  • User secrets encrypted with per-deployment keys

In transit

TLS on every public endpoint. Uploads use short-lived presigned URLs scoped to a single job.

  • HTTPS enforced on API and web app
  • Presigned-POST dataset upload
  • Orchestrator-runner auth via scoped tokens

During training

Each training job is a fresh container on a dedicated GPU, provisioned for that run only. The runner sees the dataset only while it trains.

  • Runner destroyed after job completes
  • Dataset wiped from runner on completion
  • No background data reuse across jobs

Your corpus

Your data is used only to train the adapter you ask for. Not to train our base models. Not to improve platform models. Never.

  • Written into the DPA draft
  • No cross-customer aggregation
  • No opt-in nudges in the UI either

Incident posture.

During alpha, incident notifications go out by email to affected customers within 24 hours of confirmation, with a written post-mortem within 10 business days. A public status page lands alongside the hosted-inference release.

Security reports: security@ownllm.com — we respond within 72 hours and credit reporters on disclosure if they’d like that.