Onyx — Bespoke AI Systems

LEGAL

Last updated: March 2026

Onyx builds bespoke AI systems for firms that serve high-net-worth clients. Privacy is not a feature we offer. It is the foundation of everything we build. This policy explains exactly how we handle data — or more precisely, how we do not.

Zero Data Storage

Onyx AI systems operate on a zero-storage architecture. No conversation data, personal information, or interaction history is stored on our servers. All conversations exist exclusively in the visitor's browser session and are destroyed when the session ends or expires. We cannot access, retrieve, or reconstruct any conversation that has occurred on your system.

Session Architecture

Each visitor session is isolated and temporary. Sessions auto-expire after 15 minutes of inactivity. Upon expiration, all session data is permanently destroyed. No cookies, tracking pixels, or persistent identifiers are used to track visitors across sessions or websites.

Input Sanitization

All user inputs are sanitized in real-time to prevent SQL injection, cross-site scripting (XSS), and prompt injection attacks. Personally identifiable information patterns including Social Security numbers, credit card numbers, and passport numbers are automatically detected and redacted before processing.

Rate Limiting

Systems enforce rate limiting of 8 messages per minute and 100 messages per session to prevent abuse, denial-of-service attacks, and automated scraping. These limits protect both the system and your clients.

Encryption

All communications between visitors and the AI system are encrypted using TLS 1.3, the current highest standard for transport layer security. No data is transmitted in plaintext at any point.

Compliance Design

Our systems are designed to be compatible with HIPAA requirements for healthcare clients and maintain compliance guardrails that prevent the AI from providing investment advice, medical diagnoses, legal guidance, or other regulated content. We are actively pursuing SOC 2 Type II certification.

Client Data

During the immersion and build process, we work with your firm's publicly available information, service descriptions, and team details that you provide. This training data is used exclusively to build your system and is not shared with any third party. Your system is built for your firm alone.

Third Parties

We do not sell, share, or distribute any data to third parties. We do not use advertising trackers, analytics platforms, or data brokers. Your clients' interactions are not monetized in any way beyond the service you pay for.

Contact

For questions about our privacy practices, data handling, or security architecture, contact Pedro Sosa at psosa8401@gmail.com or schedule a conversation.

ONYX

PEDRO SOSA • CALIFORNIA