Security & Data Handling Overview

Last updated: January 2026

This document provides an overview of Odyssey's security posture and data handling practices. It is intended to help partners, customers, and reviewers understand how Odyssey is designed to minimize risk, protect sensitive information, and operate responsibly—particularly in government and regulated environments.

Guiding Principles

Odyssey is built around a data minimization and least‑privilege philosophy. From the outset, the platform is designed to collect only what is necessary to understand user journey behavior, while deliberately avoiding the collection of personally identifiable information (PII), form responses, or uploaded documents.

Our guiding principles are:

  • Collect the minimum data required to provide value
  • Avoid sensitive data entirely whenever possible
  • Isolate and secure all production systems
  • Ensure changes are auditable and reversible
  • Design for compatibility with strict security environments, including government platforms

Data Collected

Odyssey collects event‑level telemetry related to user journeys. This data is strictly behavioral and contextual.

Examples of data that may be collected include:

  • Event type (e.g., journey started, step entered, step completed)
  • Anonymous journey or form identifier
  • Timestamp
  • Environment metadata (e.g., production vs test)
  • High‑level client metadata (e.g., browser family, device type)

Data Explicitly Not Collected

Odyssey is intentionally designed not to collect:

  • Form field values or responses
  • Names, addresses, emails, phone numbers, or identifiers
  • Uploaded files or attachments
  • Authentication credentials
  • Free‑text user input

No attempt is made to infer or reconstruct user identity.

Data Usage

Collected data is used solely to:

  • Analyze journey completion and drop‑off patterns
  • Measure time spent across stages or steps
  • Identify aggregate friction points in workflows
  • Generate non‑individualized insights and reports

Odyssey does not use collected data for advertising, tracking across sites, or user profiling.

Data Storage and Retention

  • All data is transmitted over encrypted HTTPS connections.
  • Data is stored in managed, cloud‑hosted databases with encryption at rest.
  • Access to production data is restricted to a minimal set of authorized personnel.

Retention

Data is retained only for as long as necessary to support analysis and reporting. Retention periods may be customized or limited further based on partner requirements.

Access Controls

Odyssey enforces strict access controls:

  • Role‑based access to production systems
  • Multi‑factor authentication (MFA) for administrative access
  • Separation of development, staging, and production environments

All access to production systems is logged and reviewable.

Change Management

Changes to production systems follow a controlled process:

  • Code changes are reviewed prior to deployment
  • Deployments are traceable to specific source control revisions
  • Rollback mechanisms are in place in the event of an issue

This ensures that any change affecting data collection or processing is auditable and reversible.

Incident Response

Odyssey maintains an incident response process designed to quickly identify, contain, and remediate security events.

In the event of a confirmed security incident:

  • Impacted systems will be isolated as appropriate
  • A root‑cause analysis will be performed
  • Affected partners will be notified in a timely manner
  • Corrective actions will be documented and implemented

Third‑Party Services

Odyssey relies on a limited set of reputable third‑party infrastructure providers (e.g., cloud hosting, monitoring). These providers are selected based on their security posture and industry adoption.

No third‑party services are permitted to access customer data beyond what is necessary to operate the platform.

Content Security Policy (CSP) Considerations

When integrated via an embedded script, Odyssey is designed to:

  • Load from a single, clearly identified script origin
  • Communicate with a single ingestion endpoint
  • Operate in a read‑only manner without modifying page behavior
  • Avoid access to DOM elements containing user input or form values

This design allows integrations to be scoped narrowly within strict Content Security Policy (CSP) environments.

Compliance Roadmap

Odyssey is designed with compliance in mind from inception. As the platform matures and adoption grows, formal security audits (such as SOC 2) are planned as part of the long‑term roadmap.

In the interim, Odyssey emphasizes:

  • Transparency in data handling
  • Conservative security defaults
  • Willingness to operate under pilot or constrained environments

Contact

Security‑related inquiries, vulnerability disclosures, or questions about data handling may be directed to:

security@odysseylabs.ai

We welcome responsible disclosure and collaboration with partners to ensure Odyssey operates safely and securely.