Skip to main content
Security First

Your Data is Safe

Enterprise-grade security protecting your MCPs, payments, and data. Multi-layered defense with transparency at every step.

Security Layers

Infrastructure

  • Enterprise-grade hosting on secure VPS
  • DDoS protection with Cloudflare
  • Regular security audits and penetration testing
  • 24/7 monitoring and incident response
  • Disaster recovery and backups

Database Security

  • Row Level Security (RLS) for data isolation
  • Encrypted database connections (TLS 1.3)
  • Automatic data encryption at rest
  • Secure credential management (Hashicorp Vault)
  • Database backups every 6 hours

Application Security

  • Input validation and sanitization (Zod schemas)
  • SQL injection prevention (parameterized queries)
  • XSS protection (DOMPurify)
  • CSRF protection (double-submit cookies)
  • Rate limiting (100-1000 requests/minute)

Payment Security

  • x402 protocol with ERC-3009
  • Random nonces (128-bit entropy)
  • Time-based authentication (24h expiration)
  • Domain separation (replay attack prevention)
  • No private key exposure (delegated transfers)

Verified MCP Program

Manual MCP Review

Every MCP is manually reviewed by our security team before publication. No automatic approvals.

Security Testing

MCPs undergo security testing including SQL injection, XSS, and CSRF vulnerability scanning.

Code Review

Source code is reviewed for security best practices, proper error handling, and secure defaults.

Performance Benchmarking

MCPs are benchmarked for performance under load to prevent DoS vulnerabilities.

Community Feedback

Users can report security issues. Prompt action on all reports.

x402 Payment Security

Our x402 protocol implements gasless payments with enterprise-grade security. Users sign transactions off-chain, and we relay them securely on-chain.

Random Nonces

128-bit random nonces prevent replay attacks. Each transaction has unique signature.

Time-Based Auth

Signatures expire after 24 hours. Invalidates old signatures automatically.

Domain Separation

Each contract domain uses unique prefixes. Prevents cross-domain replay.

Delegated Transfers

No private key exposure. Users sign, platform executes. Zero gas fees.

Compliance

SOC 2 Type II

In Progress

Information security controls

GDPR

Compliant

EU data protection regulation

CCPA

Compliant

California privacy law

ISO 27001

Planned

Information security management

Data Handling

We collect minimal data (email, name, wallet addresses)
Private keys NEVER stored (public addresses only)
Usage data aggregated and anonymized (no PII)
Payment data encrypted at rest and in transit
Data retention: 90 days for analytics, 30 days for logs
Users can request data export or deletion (GDPR rights)

Incident Response

Detection Phase

24/7 monitoring with automatic threat detection and alerting.

Response Phase

Automated incident response with predefined playbooks for common threats.

Recovery Phase

Rollback capabilities, database backups, and disaster recovery procedures.

Communication Phase

Transparent incident communication with affected users and public disclosure.

Found a Vulnerability?

Responsible disclosure is encouraged. We'll work with you to fix it quickly.

Don't exploit vulnerabilities
Do report privately to security@oma-ai.com
Allow us reasonable time to fix (14 days)
Receive credit in our security hall of fame
Report VulnerabilityGeneral Contact
100%
MCP Verification
4
Security Layers
95/100
Health Score
24/7
Monitoring

Trust is Everything

Security isn't just technology—it's our commitment to protecting your data, revenue, and reputation. Every decision is guided by security-first principles.

View Documentation