Security & Data Privacy

OpenWork enterprise runs on your servers. We don't see your code, your API keys, or your prompts. There is no hosted control plane and no phone-home telemetry.

Deployment

Self-hosted

Desktop app on your servers

Data storage

Local-only

Nothing leaves your machine

LLM keys

Bring your own

Direct to your provider

Telemetry

None

Opt-in feedback only

Incident SLA

72hr notify

3-day ack · 7-day triage

Subprocessors

5 named vendors

Cloud & website only

Deployment model

OpenWork ships as a desktop app that you host on your own servers. You bring your own LLM gateway and your own auth stack. Traffic between your users and their LLM provider goes direct; we don't sit in the middle.

Desktop app runs on your servers. No data leaves your infrastructure unless a user explicitly connects to an LLM provider.
LLM gateway is your choice (LiteLLM, Cloudflare AI Gateway, etc.). OpenWork doesn't proxy, store, or log API traffic.
Authentication plugs into your existing SSO or SAML provider.

Data handling

We receive zero customer data in a self-hosted deployment.

Data type	Self-hosted	Cloud
Source code	Local only. Never leaves your machine.	Not stored by OpenWork. Accessed at runtime through your LLM provider.
LLM API keys	Local keychain or environment variables	Held by your LLM provider, not by OpenWork
Prompts & responses	Local only	Sent to your LLM provider. Not logged by OpenWork.
Usage telemetry	None	Anonymous, via PostHog; can be disabled
Authentication	Your SSO / SAML provider	Google or GitHub OAuth

Data residency

You pick the region, the network boundary, and the egress policy. Nothing replicates outside your environment.

OpenWork doesn't impose a data region. You decide where things live.
Switching your LLM provider doesn't affect where data is stored. The two decisions are independent.

Subprocessors

These vendors apply to the OpenWork website and cloud service only. If you self-host, none of them touch your environment.

Vendor	Purpose	Category	Region
PostHog	Anonymous website analytics and product telemetry	Analytics	US / EU
Polar	Subscription billing and payment processing	Payments	US
Google	OAuth sign-in and authentication services	Authentication	US
GitHub	OAuth sign-in and source code hosting	Authentication	US
Daytona	Virtual sandbox infrastructure for the Cloud Service	Infrastructure	EU

Incident response

Report security issues via email or GitHub issue. Our response commitments:

Acknowledge receipt within 3 business days
Initial triage and assessment within 7 business days
Notify affected customers of any major security incident within 72 hours

See our security policy for reporting guidelines.

Compliance

Certification	Status
SOC 2 Type II	In progress

If you need a DPA or help with a vendor security questionnaire, reach out below.

Security contact

Security questions, vendor questionnaires, vulnerability reports:

Omar McAdam

team+security@openworklabs.com