Are documents and queries sent to third-party LLMs?

Yes, however you can configure only the LLM providers of your choice or connect Onyx to a self-hosted LLM.

Is any data used for model training?

There is no training or fine tuning of any models.

Where is my data stored?

Data storage location depends on your deployment choice. See the Data Storage page for more information.

Does Onyx have access to my data?

For self-hosted deployments, the Onyx team does not receive any of your team’s data. There is aggregated telemetry but this can also be turned off.

Does the app support SSO (SAML, OIDC, SCIM)?

SAML and OIDC are supported as part of the Enterprise Edition of Onyx. SCIM is on the roadmap, please check with the team on the latest status.

What encryption standards does Onyx use?

Onyx Cloud uses AES-256-GCM for data at rest and TLS 1.3 for data in transit. For Self-hosted, the admin deploying the system is responsible for configuring these.

What is Onyx’s security incident notification process?

Security incidents are communicated to customers according to severity and impact, with detailed incident reports and remediation steps provided. For Community Edition users, incidents are shared via our standard community channels (Slack, Discord, Mailing-list)

Does the vendor cache, index, or replicate internal documents?

Yes, this indexing is required to provide the reliable context retrieval that is key to many core user flows.

How often are penetration tests performed? Are results available?

Penetration tests are done yearly and results are sharable upon execution of an NDA. Similarly, container scans are run regularly and results are available.

What compliance standards does Onyx meet?

Onyx is SOC2 Type II and GDPR compliant.