Security

OneShot is built with modern frameworks and best practices. We prioritize security across application design, infrastructure, and operational processes. This page outlines our general practices and how to report security concerns.

1. Application Security

• Secure-by-default frameworks (Next.js App Router, server-first rendering where possible).
• Least-privilege access for environment variables and credentials.
• Input validation and output encoding to mitigate common vulnerabilities.
• Dependency management and monitoring for vulnerabilities.

2. Data Security

• Encryption in transit using HTTPS/TLS for all external traffic.
• Separation of concerns between client and server; sensitive keys are server-only.
• Configurable data retention aligned with product needs and legal requirements.
• User controls to delete or export data where applicable.

3. Operational Security

• Principle of least privilege for team members and service accounts.
• Audit trails and logging for critical operations where applicable.
• Backups and recovery procedures for critical systems and content.

4. AI-Specific Considerations

• Prompt hygiene guidance and safeguards to discourage sharing sensitive personal data in prompts or context.
• Review and validation of generated outputs before production usage.
• Clear indication when third-party model providers process inputs/outputs.

5. Responsible Disclosure

We welcome reports of security vulnerabilities. Please email security@oneshot.build with details and steps to reproduce. Do not publicly disclose issues until we confirm a remediation or mitigation. We appreciate coordinated disclosure and will acknowledge valid reports.

6. Status and Updates

We may publish security-related updates on this page and will revise the "Last updated" date above when changes are made. For data handling specifics, see our Privacy Policy.