Your documents stay yours.
Ohmix turns your workshop manuals into a private diagnostic knowledge base. This page states plainly how that data is handled — and what we have not yet certified.
Last updated 11 Jul 2026 · questions: security@ohmix.eu
Data ownership & isolation
The manuals and case data you upload remain yours. You can export or delete them at any time.
Each organisation's data is scoped to that organisation. Access is enforced at the database layer with row-level security on every customer-data table and on file storage — not only in the UI — and verified by a negative isolation test suite before schema promotion.
In transit via TLS/HTTPS (HSTS enabled). At rest through our storage and database providers' encryption. Documents are served only through short-lived signed links to signed-in members.
Sign-in is passwordless (email magic link). Organisation roles: owner, admin, service manager, technician, trainer, billing manager, read-only reviewer. Nobody can raise their own role; platform staff roles are separate and cannot be self-granted.
Subprocessors
We use a small number of vetted providers. We name them honestly:
- Supabase — authentication, database, file storage (EU region).
- Netlify — website hosting and edge delivery.
- AI providers — used server-side for diagnostic reasoning and retrieval once that engine is connected. The provider and region will be listed here before any customer document is processed by it.
AI-training policy
Your documents and case data are not used to train Ohmix models or shared to train third-party foundation models. AI is used only to answer your questions from your sources, server-side.
Retention, deletion & export
- You may request export or permanent deletion of your organisation's data.
- Deletion removes both database records and stored files (durable deletes, no silent resurrection).
- Audit events (who did what, when) are retained to support warranty-grade accountability.
Restricted documentation
Some brands' documentation is restricted: uploads for them are refused server-side unless Ohmix has recorded an explicit authorization grant for your organisation (for example, verified OEM-authorized dealers). Every upload additionally requires a recorded, versioned authorization confirmation from the uploader, and every document open is written to an append-only audit trail.
What is not in place yet
- The document ingestion worker and the diagnostic/training engine workers are being provisioned — until they run, uploads queue with honest status and no answers are generated or simulated.
- No formal certification (ISO/SOC 2) — practices are GDPR-aligned but not independently audited.
- Penetration testing and a formal incident-response SLA are planned before general availability.
- Self-serve payment is not implemented; nothing is charged without a signed agreement.
Reporting a concern
Security issue or data request: security@ohmix.eu. We aim to acknowledge within two business days.