Ophraxx
Disclaimer: This website is currently in beta testing. Some features may not be complete, and content may be out of date.

Security & Privacy

Last updated: March 2026

Our Security Approach

Ophraxx AI implements a defense-in-depth security strategy with multiple layers of protection to ensure user safety, data privacy, and system integrity. Security is not an afterthought—it is built into every component of our system. All security and moderation systems are built and operated by us; we do not outsource core safety or access control. This applies to both our conversational bot (input/output validation, rate limiting, abuse prevention) and our website and web applications (authentication, 2FA, session management, account security).

Web and Account Security

Our website and web applications are secured with the following measures:

  • Authentication: Passwords are hashed using industry-standard algorithms and never stored in plain text. We support email/password and alternative sign-in methods; credentials are validated server-side on every protected request.
  • Two-factor authentication (2FA): We offer optional 2FA (e.g. TOTP and backup codes). 2FA secrets are stored securely and used only for verification; we do not store your 6-digit codes. You can enable or disable 2FA from your account settings. Once verified in a browser, we may use a first-party cookie so you are not prompted again on the same device until you clear cookies or the cookie expires.
  • Session management: Sessions are bound to a secure token; we track active sessions and login activity so you can review and manage devices. Session data is used only for security and abuse prevention, not for advertising.
  • Account and profile data: Profile and settings data is stored in our own systems and access-controlled. Sensitive fields (e.g. email) are not displayed in profile sections where they do not belong; we sanitize and validate data on both input and display.
  • HTTPS and secure headers: All traffic to and from our website and APIs uses TLS. We use secure headers and CSRF protection where appropriate.

Infrastructure Security

Encryption

  • In Transit: All data transmitted using TLS 1.3 encryption
  • At Rest: Database encryption for stored user profiles and usage data
  • API Communications: All service-to-service and client communications over TLS; no plaintext credentials or sensitive data in transit.

Access Controls

  • Principle of least privilege for system access
  • Role-based access control (RBAC) for administrative functions
  • Secure credential management with environment variables
  • API key rotation and monitoring

Monitoring & Logging

  • Comprehensive logging of security events
  • Real-time monitoring for suspicious activity
  • Automated alerting for security incidents
  • Regular log analysis and audit trails

Input Security

Injection Prevention

  • SQL Injection: Detection of UNION SELECT, DROP TABLE, and other SQL attack patterns
  • Script Injection: Blocking of <script>, <iframe>, and malicious HTML tags
  • Prompt Injection: Prevention of "ignore previous instructions" and jailbreak attempts
  • Base64 Decoding: Automatic detection and scanning of encoded payloads

Input Sanitization

  • Removal of zero-width characters and Unicode manipulation
  • HTML tag stripping and entity encoding
  • Normalization of input formatting
  • Length limits and character validation

Privacy Protection

PII Detection & Redaction

Automatic detection and redaction of:

  • Social Security Numbers: XXX-XX-XXXX patterns
  • Credit Card Numbers: 16-digit card numbers
  • Email Addresses: Personal email identifiers
  • Phone Numbers: Various international formats
  • IP Addresses: IPv4 and IPv6 addresses

Sensitive Data Protection

  • API Keys and Secrets: Detection and redaction of exposed API keys, tokens, and connection strings
  • Tokens: Platform tokens, bearer tokens, and OAuth-style credentials
  • Database URIs: Connection strings and credentials
  • Environment Variables: process.env references and secrets

Data Minimization

  • Only collect data necessary for service functionality
  • Temporary conversation storage (15-minute TTL)
  • No permanent message content archives
  • Automatic deletion of expired data

Content Security

Threat Detection

Real-time detection of:

  • Violence and harm instructions
  • Weapons manufacturing and explosives
  • Controlled substance synthesis
  • Hate speech and discriminatory content
  • Child sexual abuse material (CSAM)
  • Self-harm and suicide content (with crisis resources)

AI Safety Validation

  • Dedicated proprietary safeguard models
  • Dual-pass validation (input and output)
  • Context-aware threat assessment
  • 8-category safety classification system

Rate Limiting & DDoS Protection

Token Bucket Algorithm

  • User Rate Limit: 1 request per 2 seconds
  • Guild Rate Limit: 5 requests per 200ms
  • Automatic bucket refill and capacity management
  • Graceful degradation under high load

Spam Detection

  • Sliding Window: 8-second message frequency tracking
  • Soft Threshold: 3 messages in 8s triggers silent drop
  • Hard Threshold: 5 messages in 8s triggers 60s timeout + 5min AI block
  • Automatic escalation for repeated spam violations

Usage Quotas

Limits vary by subscription tier across the Ophraxx Web Core:

  • OW-F1 (Free): ~500 messages per month
  • OW-B12 (Basic): ~1,000 messages per month
  • OW-U45 (Ultra): 10,000+ messages per month with priority processing
  • OW-P88 (Pro): 50,000+ messages per month with the highest priority processing
  • Prevents resource exhaustion and abuse
  • Fair distribution of service capacity across all tiers

Adaptive Security

User Safety Profiles

  • Risk Scoring: +15 per violation, -5 per 24 hours of good behavior
  • Trust Levels: New → Trusted → Suspicious → Blocked
  • Violation Tracking: 5 violations = 5-minute soft-block
  • Automatic Escalation: Progressive restrictions for repeat offenders

Blacklist System

  • Granular feature-level blocking (commands, AI, models, tools)
  • User and guild-level restrictions
  • Model-specific access control
  • Immediate enforcement upon detection

Channel and Content Security

  • Mention and broadcast controls: We sanitize and validate mentions and broadcast-style content to prevent abuse.
  • Structured content handling: User and channel references are handled in a safe, non-executable manner.
  • Non-text filtering: Non-text payloads are filtered or ignored to reduce injection and abuse surface.
  • Link and markup safety: Links and markup are validated and stripped where they could be used for phishing or abuse.
  • Permission awareness: We respect and enforce permission boundaries of the environments where the service is used.

Incident Response

Detection & Response

  • Real-time security event monitoring
  • Automated threat response and mitigation
  • Manual review of flagged incidents
  • Rapid deployment of security patches

Escalation Procedures

  • Immediate: Automatic blocking of severe violations
  • Short-term: Log analysis and pattern identification
  • Long-term: System updates and enhanced detection
  • Communication: User notification of restrictions and appeals process

Infrastructure and API Security

Our infrastructure is under our operational control. We apply:

  • Secure credential storage and rotation for all internal and external access
  • Rate limiting and validation on all request paths
  • Request sanitization and error handling that avoids information leakage
  • Defense-in-depth across hosting, database, and application layers

Compliance & Standards

  • Data protection laws: We design for GDPR-style data protection and user rights where applicable.
  • Children’s privacy: Our service is not directed at children under 13 (or higher age where required by law).
  • Platform terms: We operate in compliance with the terms of the platforms we use to deliver the service.
  • Secure development: We follow practices aligned with OWASP and industry standards for secure design and deployment.

Security Best Practices

For Users

  • Never share personal credentials or sensitive information with the AI
  • Report suspicious behavior or security concerns immediately
  • Use the service responsibly and within our Terms of Use and Usage Policies
  • Keep your account secure; we support two-factor authentication and recommend enabling it

For Server Administrators

  • Configure appropriate channel permissions for AI access
  • Monitor moderation logs for security events
  • Review usage statistics regularly
  • Report abuse or violations through proper channels

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly through our designated support channel. We commit to:

  • Acknowledging receipt within 48 hours
  • Providing regular updates on remediation progress
  • Crediting researchers (with permission) for responsible disclosure
  • Deploying fixes promptly based on severity

Incident Response

We maintain an incident response program to detect, assess, and remediate security events. Where required by law or contract, we will notify affected users or customers of material incidents.

Contact Security Team

For security-related inquiries, vulnerability reports, or privacy concerns, please contact our team through our designated support channel. We respond to all security reports within 48 hours. Our security and moderation systems are built and operated in-house.