Legal

Security Policy

Last updated: April 27, 2026

1. Overview

This Security Policy describes the technical, administrative, and organizational measures that Selaware LLC (“Selaware,” “we,” “us,” or “our”) uses to help protect Selaware’s websites, software, APIs, hosted services, dashboards, documentation, collectors, scanners, and related services, including the Oculis product (collectively, the “Services”).

Selaware provides software designed to help organizations discover, monitor, analyze, and optimize AI agents, AI applications, LLM calls, provider usage, token consumption, estimated cost, cache savings, errors, latency, performance, collector health, and related operational telemetry.

Security is a shared responsibility between Selaware and our customers. Selaware is responsible for protecting the Services we operate. Customers are responsible for securely configuring their own systems, accounts, integrations, collectors, credentials, networks, cloud environments, users, and access policies.

This Security Policy is intended to provide transparency about our security practices. It does not create any warranty or guarantee that the Services will be error-free, uninterrupted, or immune from all security risks.

2. Scope

This Security Policy applies to:

  • Selaware websites and web applications;
  • the Oculis platform, dashboards, APIs, reporting tools, and alerting services;
  • Selaware-provided collectors, scanners, agents, scripts, containers, deployment packages, and related software components;
  • customer support and administrative systems used to provide the Services;
  • operational metadata, telemetry, logs, and other data processed through the Services; and
  • Selaware employees, contractors, vendors, and service providers who support the Services.

This Security Policy does not apply to customer-managed environments, third-party AI providers, model providers, cloud providers, identity providers, logging tools, messaging platforms, code repositories, or other third-party systems that customers choose to connect to or use with the Services. Those systems are governed by the customer’s own policies and the applicable third-party terms.

3. Security Principles

Selaware’s security program is guided by the following principles:

  • Least privilege: Access should be limited to what is needed to perform an authorized function.
  • Customer control: Customers should control where collectors are deployed, what systems are connected, and what data is sent to the Services.
  • Data minimization: We aim to collect only the information reasonably needed to provide, secure, support, and improve the Services.
  • Secure-by-design: Security considerations should be part of product design, engineering, deployment, and operations.
  • Defense in depth: We use multiple layers of technical and administrative controls to reduce risk.
  • Transparency: We aim to clearly explain how Oculis works, what it collects, and how customers can manage risk.

4. Data Collection and Handling

Depending on how the Services are configured, Oculis may collect and process data such as:

  • AI agent inventory and related system metadata;
  • collector health, version, heartbeat, and status information;
  • LLM provider, model, route, and API usage metadata;
  • token counts, estimated cost, cache savings, latency, errors, response status, and performance metrics;
  • application, container, host, Kubernetes, or cloud metadata needed to identify likely AI agent activity;
  • alert events, dashboard metrics, reports, and administrative activity logs;
  • account, organization, user, subscription, and support information; and
  • other data that a customer chooses to configure, upload, connect, or transmit to the Services.

Selaware designs the Services to focus on operational telemetry and AI usage visibility. Customers should not intentionally send secrets, passwords, private keys, regulated payment card data, protected health information, or other highly sensitive data to the Services unless Selaware has expressly agreed in writing and the appropriate contractual and technical safeguards are in place.

Customers remain responsible for reviewing their own configuration and determining whether the Services are appropriate for the data they choose to process.

5. Collector and Scanner Security

Some Services may require or allow customers to install Selaware-provided collectors, scanners, agents, containers, scripts, Helm charts, or other software components in customer-managed environments (“Collectors”).

Collectors are intended to help customers identify AI agents, monitor AI usage, report operational telemetry, and provide visibility into cost, performance, reliability, errors, and security-related signals. Customers control where Collectors are installed and how they are configured.

Where practical, Selaware recommends that customers:

  • deploy Collectors using least-privilege accounts and roles;
  • avoid running Collectors with unnecessary administrative, root, or cluster-wide permissions;
  • restrict Collector access to only the systems, namespaces, logs, APIs, or resources needed for the intended use case;
  • use outbound-only connectivity where possible;
  • avoid exposing Collectors directly to the public internet;
  • store API keys and tokens in approved secret managers or secure environment mechanisms;
  • rotate credentials regularly and immediately after suspected compromise;
  • review Collector configuration before enabling additional log, file, code, prompt, or payload visibility;
  • monitor Collector health, version, and update status; and
  • remove or disable Collectors when they are no longer needed.

Selaware may provide documentation, recommended deployment patterns, and configuration examples. Customers are responsible for validating those recommendations against their own security, compliance, network, and operational requirements.

6. Access Controls

Selaware uses access controls intended to limit access to systems and data based on business need. These controls may include:

  • unique user accounts for administrative access;
  • role-based access controls where supported;
  • separation of customer organizations and tenant data within the platform;
  • authentication and authorization controls for dashboards, APIs, and administrative systems;
  • internal access reviews and removal of access when no longer required;
  • secure credential handling and secret storage practices; and
  • logging of certain administrative and security-relevant events.

Customers are responsible for managing their own users, roles, permissions, API keys, connected accounts, SSO settings, identity provider configuration, and internal access policies.

7. Encryption and Network Security

Selaware uses commercially reasonable security measures designed to protect data transmitted to and from the Services. These measures may include:

  • encryption in transit using TLS or comparable secure transport protocols;
  • encryption at rest for hosted databases, storage systems, or backups where supported by the underlying provider;
  • segmentation and access restrictions for production systems;
  • firewall, network access, or cloud security group controls where appropriate;
  • secure API authentication mechanisms; and
  • monitoring for suspicious or abnormal service behavior.

Customers are responsible for securing their own networks, firewalls, proxies, VPNs, endpoints, Kubernetes clusters, cloud environments, identity providers, and any systems where Collectors are installed.

8. Application and Product Security

Selaware aims to follow secure software development practices, which may include:

  • security review during product design and development;
  • code review for material product changes;
  • dependency and package review where commercially reasonable;
  • vulnerability scanning or security testing of relevant systems;
  • patching of critical or high-risk vulnerabilities based on severity, exploitability, and business impact;
  • protection against common web application risks, such as unauthorized access, injection, cross-site scripting, and insecure direct object access;
  • logging and monitoring for service reliability and security events; and
  • incident response procedures for suspected security events.

Because the Services may include AI-driven analytics or recommendations, customers should independently validate any recommendation before making security, operational, financial, or compliance decisions.

9. Secrets, Tokens, and Credentials

Customers should not submit secrets, credentials, private keys, API keys, passwords, session tokens, access tokens, signing keys, recovery codes, or other sensitive authentication materials to Selaware unless specifically required for an integration and supported by Selaware’s documented process.

Where the Services require customer-provided credentials or tokens, customers are responsible for:

  • granting the minimum permissions necessary;
  • using scoped, revocable credentials where possible;
  • storing and transmitting credentials securely;
  • rotating credentials regularly;
  • revoking credentials when no longer needed;
  • reviewing third-party provider permissions; and
  • notifying Selaware promptly if a credential used with the Services may have been compromised.

Selaware may alert customers when the Services detect indicators of exposed, invalid, revoked, misconfigured, or high-risk tokens, but Selaware does not guarantee that all credential issues will be detected.

10. Logging, Monitoring, and Alerts

Selaware may collect logs and operational events to provide, maintain, secure, troubleshoot, and improve the Services. These may include authentication events, API activity, Collector heartbeat events, error events, performance metrics, system health data, alert events, and administrative actions.

Oculis may also provide customer-facing alerts, dashboards, and reports for AI usage, AI agent activity, high-usage agents, offline collectors, bad or revoked tokens, cost changes, cache savings, errors, latency, and other operational signals.

Alerts and reports are informational. Customers are responsible for reviewing alerts, validating findings, determining impact, and taking appropriate action within their own environments.

11. Third-Party Services and AI Providers

The Services may integrate with or rely on third-party services, including cloud infrastructure providers, payment processors, analytics tools, identity providers, email providers, observability tools, API providers, model providers, and large language model providers.

Customer use of third-party services is subject to the applicable third-party terms, privacy policies, data processing terms, security practices, and configuration choices. Selaware is not responsible for the acts, omissions, outages, data handling, model behavior, pricing, retention practices, or security controls of third-party providers that are outside Selaware’s control.

Customers are responsible for choosing which AI providers, model providers, API providers, or integrations they use and for confirming that those providers meet their own security, privacy, compliance, and contractual requirements.

12. Employee and Contractor Access

Selaware limits employee and contractor access to customer data and production systems based on role, responsibility, and business need. Personnel with access to sensitive systems may be subject to confidentiality obligations and internal security expectations.

Where appropriate, Selaware may use access logging, administrative controls, and account deactivation procedures to reduce the risk of unauthorized access.

13. Vendor Management

Selaware may use vendors and service providers to host, operate, support, secure, monitor, analyze, bill, and improve the Services. Selaware evaluates vendors based on the nature of the service provided, the sensitivity of data involved, and the risk presented by the vendor relationship.

Vendors may only access data as needed to provide services to Selaware, subject to applicable contractual, security, and confidentiality obligations.

14. Backups, Availability, and Business Continuity

Selaware may maintain backups, redundancy, monitoring, and recovery procedures intended to support service availability and recovery. However, no system can guarantee uninterrupted service, complete data recovery, or protection from all failure scenarios.

Customers are responsible for maintaining their own backups, exports, records, business continuity plans, and recovery processes for customer-managed systems, customer data, configurations, dashboards, reports, and any operational decisions made using the Services.

15. Incident Response

If Selaware becomes aware of a security incident affecting the Services, we will take steps designed to investigate, contain, mitigate, and remediate the issue as appropriate based on the nature and severity of the incident.

Where required by law, contract, or applicable policy, Selaware will notify affected customers of a confirmed security incident involving their data. Notification may include information about the nature of the incident, affected systems or data, remediation steps, and recommended customer actions, to the extent such information is available and legally permitted.

Customers should notify Selaware promptly if they believe their account, API key, Collector, integration, or data processed through the Services may have been compromised.

16. Vulnerability Disclosure

Selaware encourages responsible disclosure of security vulnerabilities. If you believe you have discovered a vulnerability in Selaware’s Services, please contact us at:

security@selaware.ai

When reporting a vulnerability, please include:

  • a description of the issue;
  • steps to reproduce the issue;
  • affected URLs, APIs, accounts, collectors, or components;
  • any relevant screenshots, logs, or proof-of-concept details; and
  • your contact information so we can follow up.

Please do not:

  • access, modify, delete, or exfiltrate data that does not belong to you;
  • disrupt, degrade, or deny service to Selaware or other customers;
  • use automated high-volume scanning without prior written approval;
  • attempt social engineering, phishing, physical attacks, or attacks against Selaware employees, contractors, vendors, or customers;
  • publicly disclose a vulnerability before Selaware has had a reasonable opportunity to investigate and remediate it; or
  • violate applicable laws.

Selaware does not currently guarantee a bug bounty, reward, or compensation for vulnerability reports unless expressly agreed in writing.

17. Compliance and Security Certifications

Unless expressly stated in a written agreement signed by Selaware, Selaware does not claim that the Services are certified for, compliant with, or suitable for any specific regulated workload, including HIPAA, PCI DSS, FedRAMP, CJIS, ITAR, or similar regulatory frameworks.

Selaware may pursue security reviews, compliance programs, audits, reports, or certifications over time. Any such status will be communicated separately and should not be assumed unless confirmed in writing by Selaware.

Customers are responsible for determining whether their use of the Services satisfies their own legal, regulatory, contractual, security, and compliance obligations.

18. Customer Responsibilities

Customers are responsible for maintaining the security of their own environments and use of the Services. This includes:

  • configuring users, roles, permissions, SSO, MFA, and API keys securely;
  • ensuring only authorized users access the Services;
  • protecting account credentials and promptly revoking access for departed users;
  • installing and operating Collectors only in authorized environments;
  • reviewing and approving what data is collected and transmitted;
  • securing connected systems, cloud accounts, Kubernetes clusters, repositories, CI/CD systems, logs, and model provider accounts;
  • complying with applicable laws and internal policies;
  • validating alerts, reports, recommendations, and AI-generated analysis before taking action;
  • maintaining independent backups and change-control procedures;
  • promptly reporting suspected security issues to Selaware; and
  • ensuring that customer personnel and users comply with Selaware’s Terms of Service, Privacy Policy, and applicable documentation.

19. Changes to this Security Policy

Selaware may update this Security Policy from time to time to reflect changes in our Services, security practices, legal requirements, or business operations. When we update this Security Policy, we will revise the “Last updated” date above. Continued use of the Services after an update means you acknowledge the updated Security Policy.

20. Contact

Questions about this Security Policy or Selaware’s security practices may be sent to:

Selaware LLC
Security: security@selaware.ai
Privacy: privacy@selaware.ai
Support: support@selaware.ai