Security Overview
OMIMA's security commitment comes down to one thing: your data is accessible only to you.
The Four Things We Actually Promise
| Promise | How |
|---|---|
| A database breach can't expose your content | All records encrypted at rest (AES-256-GCM) |
| Only you can access your data | Account binding + access control — unauthenticated requests are rejected |
| When you need it, you get it back — fully | Authentication passes → plaintext returned, directly usable |
| We don't analyze or sell your data | Business model is subscriptions, not data |
Security Layers: Who's Responsible for What
Your chosen channel (WeChat / Lark / Web App)
│
Large platforms, legally accountable, you're already using them
│
▼
OMIMA storage layer ← this is what we guard
│
AES-256-GCM encryption at rest
Access control: only your authenticated account can reach your data
│
▼
When you need to use it
│
Authentication passes → full plaintext returned, no detoursOMIMA guards the storage layer. The channel is your choice — WeChat, Lark, and similar platforms have their own security teams and legal accountability. You're already using them for daily communication; adding OMIMA doesn't make that less safe.
Encryption at Rest: What It Protects
Your records are encrypted before being written to the database.
Protected against:
- Database breach → attacker gets ciphertext, no key, can't read it
- Unauthorized third-party access → no account authentication, no access
- Casual snooping → access controls and audit logs
Not protected against:
- Your own device being compromised (malware, someone with your unlocked phone)
- Your linked account (WeChat) being stolen
This matches the security model of mainstream password managers (1Password cloud, Bitwarden cloud) — encryption at rest plus access control is the most practical and reliable approach for consumer products.
Authentication: Confirming It's Really You
The critical security layer in OMIMA is authentication, not the encryption mechanism itself.
- WeChat bot: Your WeChat account is bound to your OMIMA account — only requests from that WeChat ID can reach your data
- Web App: Account login with session token
- Multiple devices: Same account, same access once authenticated
Authentication passes → data returned completely. That's how the product should work — you ask "what's my bank password," OMIMA tells you directly. No detours.
Account Recovery
Forgot your password: SMS verification → reset → normal access. Your historical data stays intact.
OMIMA chose "actually helps you at critical moments" over "locks even you out." Recovery doesn't lose your data.
What We Don't Promise
We do not claim zero-knowledge — meaning "even OMIMA engineers can't read your data."
Making that claim would require sacrificing the bot's ability to return plaintext directly. And that's the most essential use case this product exists for: you're stuck somewhere, you ask, you get the answer immediately.
Honesty matters more than overclaiming.