Omitly ยท Security

Omitly security

Omitly's value proposition is a security claim: your documents are redacted locally, the removal is independently verified, and nothing is uploaded. A claim like that should be falsifiable โ€” so we publish the evidence.

Posture at a glance

Local-only

Documents never leave your device. One opt-in network path exists (RFC 3161 timestamping) and sends only a hash โ€” never content.

Verifiable redaction

Underlying text and image data is removed, then independently re-checked on the output. Default-deny: any uncovered path fails the check.

Open design

Our threat model is public. Security by transparency, not obscurity.

What's here

Customers

Current customers can access the full evidence set โ€” complete SBOM and CBOM documents, raw test output, the full ASVS workbook, and pen-test reports โ€” by proving a valid licence. Access is itself gated by the same licence cryptography documented on this site.

Customer access โ†’

Latest release attestation

No signed attestation has been published yet โ€” the first lands with the next release.

Vendor root key

The vendor root fingerprint is published after the signing-key ceremony.