> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Omni product & system security

> Learn more about how Omni keeps your data secure.

export const CustomerCredentials = "The credentials provided to Omni to access Customer Data";

export const CustomerData = "The data contained in the customer data sources connected to Omni";

Omni is designed to ensure data is only accessible to those who are permitted to access it. Our technical architecture keeps organizations and data sets isolated, and the foundation of our product is a data model with robust governance capabilities that can limit the data sets, fields, and records accessible on a per-user basis.

## Product security and architecture

<img src="https://mintcdn.com/omni-e7402367/ZjBgyaAB7YuT7Cvy/administration/security/images/security-architecture.png?fit=max&auto=format&n=ZjBgyaAB7YuT7Cvy&q=85&s=4102cdff3ab73f33127cb3111bf4ca82" alt="" width="2876" height="1352" data-path="administration/security/images/security-architecture.png" />

Omni observes the following product and design principles:

* <Tooltip tip={CustomerData}>Customer Data</Tooltip> is always encrypted at rest and in transit over public networks, and customer credentials are additionally encrypted at the application level and can only be decrypted by the application components that require them.
* User authentication through your organization's identity provider like Google, Okta, or any SAML-compatible identity provider, allows you to control security requirements like MFA.
* Users can be assigned [attributes](/administration/users/attributes) that can checked in authorization logic to, for example, limit the user's access to data sets or apply filters.
* Authentication and authorization checks are applied immediately upon the receipt of every request to Omni, and, if passed, set an authorization context on subsequent code execution that ensures the request is sandboxed to the appropriate user and organization.
* Access to a customer's Omni instance by Omni personnel for support is visible to and controllable by the customer.

## Customer data

Omni processes the following data:

* Information about Omni users, for example name and email. This does not include user passwords since this is delegated to a third party identity provider
* Omni configuration data, for example connection parameters, the Omni data model, and chart and dashboard configuration, *excluding* credentials to customer systems
* Data contained in the data sources connected to Omni, referred to as "Customer Data"
* Credentials to access customer data, referred to as "Customer Credentials"

### Data segregation and encryption

<Tooltip tip={CustomerData}>Customer Data</Tooltip> and <Tooltip tip={CustomerCredentials}>Customer Credentials</Tooltip> are:

* Logically segregated on Omni's systems by customer tenant ID and unique dataset identifiers
* Always encrypted at rest and in transit over public networks

Ownership of Customer Data is retained by the customer.