Security

How we secure customer-submitted assets and what to expect on confidential content.

In-flight & at-rest

All transport is TLS 1.2+. Customer-submitted assets are stored in access-controlled object storage with single-use signed URLs that expire in one hour. Source files auto-purge 7 days after verification (configurable per contract).

Reviewer-side controls

Every reviewer screen carries a per-worker watermark with their hash and the timestamp. Right-click and download are disabled in the reviewer UI. Each file open is recorded in a per-customer audit log. Workers complete identity verification with liveness detection at signup, sign an enforceable NDA, and graduate through trust tiers gated by trap accuracy.

Confidential content — Private Pool

For pre-release Fortune-500-grade confidential content, use Private Pool (+50% surcharge, $2K/mo retainer): only personally-vetted, NDA-Plus reviewers we know individually ever see your assets. We'll never claim a system fully prevents a determined worker from photographing their screen — instead the economics, watermarking, and audit trail make leaks traceable and brutally expensive for the leaker.

Compliance roadmap

SOC 2 Type 1 work begins month 2–3 of operations (vendor: Vanta or Drata). GDPR DPA template is available on request. HIPAA is out of scope for the v1 product.

Disclosure

Report security issues to hello@oklook.ai. We'll acknowledge within one business day.