Legal
This Security Policy describes OramisAI Pty Ltd's general approach to information security for its own corporate systems, the Software it develops and maintains, and the cloud-based services it operates. It is incorporated into and forms part of OramisAI's Terms of Service and Privacy Policy.
This Security Policy is incorporated into and forms part of OramisAI's Terms of Service and Privacy Policy. It describes OramisAI's general approach to security for its own systems and the Software it provides. It does not create contractual warranties or performance guarantees beyond those expressly set out in the Terms of Service.
This Security Policy ("Policy") describes OramisAI Pty Ltd's general approach to information security for its own corporate systems, the Software it develops and maintains, and the cloud-based services it operates as part of delivering its products.
This Policy applies to OramisAI's own corporate IT systems, internal networks, and business applications; OramisAI's Software development and release processes; OramisAI's cloud-hosted infrastructure used to deliver the Software where OramisAI operates that infrastructure directly; and OramisAI personnel, contractors, and service providers who access OramisAI systems.
This Policy does not apply to, and OramisAI is not responsible for, the security of: customer-controlled deployment environments, cloud tenants, on-premises systems, or customer-hosted infrastructure; third-party AI model providers, external APIs, or third-party integrations accessed by customers; customer configurations, access controls, encryption key management, or governance settings within the Software; or end user devices, networks, or systems outside OramisAI's operational control.
Security obligations in relation to customer-controlled deployments rest with the Customer as described in the Terms of Service.
OramisAI uses commercially reasonable efforts to maintain appropriate security for its own systems and the Software it operates. Security measures are selected and maintained based on OramisAI's assessment of reasonable risk, the nature of its operations, available technology, and the cost of implementation.
OramisAI's security approach is informed by, but does not constitute formal certification against, recognised industry frameworks. OramisAI does not represent compliance with any specific security standard unless expressly certified and stated in a signed contractual instrument.
Security is a shared responsibility. OramisAI is responsible for the security of its own systems and the Software it operates. Customers are responsible for the security of their deployment environments, configurations, data, and user access.
OramisAI uses commercially reasonable efforts to implement and maintain the following categories of security measures for its own systems and infrastructure. The specific tools, configurations, and controls within each category are determined by OramisAI at its discretion and may change over time. Nothing in this Section creates a contractual obligation to maintain any specific control or configuration.
OramisAI applies access controls to its internal systems and infrastructure based on the principle of limiting access to those who require it for their role. Access to production systems is subject to internal authorisation processes. OramisAI uses commercially reasonable authentication controls for its own staff accessing its systems.
OramisAI applies encryption to data in transit over public networks using commercially accepted protocols. OramisAI applies encryption at rest to data stored in its own operated infrastructure where OramisAI considers it appropriate to the sensitivity of the data.
OramisAI's cloud infrastructure is hosted with reputable third-party cloud providers. OramisAI applies commercially reasonable network security controls to its own operated environments. OramisAI is not responsible for the underlying security of third-party cloud provider infrastructure.
OramisAI uses commercially reasonable efforts to monitor for and address known vulnerabilities in the Software it develops and the systems it operates. This may include periodic vulnerability reviews and the application of patches and updates. OramisAI does not commit to specific patch timelines, scanning frequencies, or remediation SLAs beyond those expressly set out in a signed agreement.
OramisAI uses commercially reasonable efforts to incorporate security considerations into its software development practices, including code reviews, testing, and the use of software composition analysis tools.
OramisAI applies commercially reasonable controls to the devices used by its employees and contractors to access OramisAI systems. OramisAI personnel with access to sensitive systems or customer data are subject to confidentiality obligations.
OramisAI uses commercially reasonable efforts to assess material providers before engagement and to include appropriate security obligations in its agreements with them. OramisAI is not liable for security failures of third-party providers beyond OramisAI's reasonable control. A list of OramisAI's material sub-processors is available on request.
OramisAI maintains commercially reasonable processes for identifying, assessing, and responding to security incidents affecting its own systems. Where OramisAI becomes aware of a security incident that has directly affected data held in OramisAI's own operated systems, OramisAI will: assess the nature, scope, and potential impact; take commercially reasonable containment and remediation steps; notify affected customers within the timeframe required by the applicable Data Processing Agreement or otherwise within a reasonable period; and comply with applicable legal notification obligations, including under the Notifiable Data Breaches (NDB) scheme.
OramisAI is not responsible for detecting, managing, or remediating security incidents that originate within or are limited to a customer's own deployment environment. Where a security incident occurs within a customer-controlled environment, the customer is solely responsible for detecting and assessing the incident; containing and remediating it within its own systems; notifying affected individuals and regulators as required by applicable law; and preserving evidence and cooperating with any required investigation.
If a customer believes a security incident has affected shared OramisAI infrastructure or systems, the customer should contact OramisAI using the contact details in Section 8 as soon as practicable.
OramisAI does not warrant that its security measures will prevent all security incidents, data breaches, unauthorised access, or loss of data. OramisAI's liability in connection with any security incident is limited as set out in the Terms of Service.
The Software includes configurable security and governance features that customers may enable and configure within their own deployments. Availability depends on the customer's product tier and Order Form. Features available may include:
Customers are solely responsible for configuring these features appropriately for their own security requirements, regulatory obligations, and risk profile.
As described in the Terms of Service, customers are solely responsible for the security of their own deployment environments and for configuring the Software's security features appropriately.
Customers are responsible for securing the infrastructure, networks, and systems within which the Software is deployed, including cloud environments, on-premises systems, third-party hosting platforms, and any systems used by Authorised Users to access the Software.
Customers are responsible for managing Authorised User accounts, credentials, and access rights, including promptly revoking access for departing users and configuring RBAC and IdP integrations available in the Software.
Where customers deploy the Software with Bring Your Own Key (BYOK) encryption, they are solely responsible for the management, security, rotation, backup, and revocation of their encryption keys. OramisAI is not liable for data loss or inaccessibility arising from customer key management decisions.
Customers are responsible for configuring the Software's governance, policy enforcement, and audit logging features in a manner appropriate to their use case, industry, and regulatory requirements. OramisAI's governance features are best-effort technical tools and do not guarantee the detection or prevention of all policy violations or security events.
Customers are responsible for maintaining independent, adequate backups of Customer Data. OramisAI is not a backup provider and does not guarantee data recovery in the event of loss within a customer-controlled environment.
Customers are responsible for assessing and managing the security of third-party AI models, external APIs, and other integrations they deploy alongside or within the Software.
Customers should promptly notify OramisAI if they become aware of a security vulnerability, incident, or suspected compromise affecting OramisAI's own systems. Contact details are provided in Section 8. OramisAI also maintains a responsible disclosure process for security researchers, available on request.
OramisAI may update, modify, add to, or remove security measures and controls at any time as it considers appropriate. Where changes to OramisAI's security measures may materially affect a customer's own security posture or compliance obligations, OramisAI will use commercially reasonable efforts to provide reasonable advance notice to affected customers where practicable. This Policy will be updated to reflect material changes. The current version is always available at www.oramisai.com.
OramisAI Pty Ltd
Email: security@oramisai.com
Website: www.oramisai.com
Responsible disclosure: available on request
For privacy-related security concerns (including data breaches affecting personal information), please also contact the Privacy Officer as described in the Privacy Policy.
This Security Policy should be read together with the following OramisAI documents:
This Policy is published for transparency purposes and does not create any contractual obligation, warranty, or guarantee beyond what is expressly set out in the Terms of Service. OramisAI's liability in connection with any security incident, data breach, or failure of security measures is limited as set out in the Terms of Service, including the aggregate liability cap, the exclusion of consequential loss, and the exclusions for customer-controlled environments.