← Back to home

Security & Your Data

How OSOK Life protects your information — in plain English.

OSOK Life was built by a veteran to help ordinary people handle the paperwork and systems that grind them down — VA claims, finances, caregiving, forms. A lot of that is sensitive. Here's exactly how we protect it, written so you don't need a security background to follow.

THE SHORT VERSION
Your connection is encrypted (HTTPS/TLS) — the padlock in your browser.
Your sensitive data is encrypted at rest with AES-256-GCM — the same standard banks and governments use.
Your data is isolated per user. Nobody else can reach it.
You can delete your data anytime.
We never sell your data, never use it for ads, never track you across the web.

Encryption in transit (the browser padlock)

Every connection to OSOK Life runs over HTTPS/TLS — that's the padlock icon in your address bar. It means the data traveling between your device and our servers is scrambled so nobody in between (your ISP, someone on the same wifi, etc.) can read it.

We also use HSTS, a setting that tells your browser to always use the encrypted connection to our site and never fall back to an unencrypted one.

Want to verify it yourself?

Click the padlock next to www.osoklife.com in your browser — it'll say "Connection is secure." Or run our domain through SSL Labs, an independent security scanner that grades any site's encryption. We publish nothing you can't check for yourself.

If your browser ever shows "Not Secure," you're on the http:// version (no S). Use https://www.osoklife.com and you're encrypted.

Encryption at rest (data sitting in the database)

Sensitive data — like the access tokens for any social platforms you connect — is encrypted with AES-256-GCM before it's ever written to our database. That's the same encryption standard used by banks, the U.S. government, and militaries worldwide. The key that unlocks it is stored in a secure environment variable, never in our code and never in the database itself.

Your data is also isolated per user — everything is keyed to your unique account ID, and there's no path for one user to reach another user's data.

"But is it end-to-end encrypted?" — an honest answer

This is the question that trips people up, so here's the straight version.

End-to-end encryption (E2E) means the data is scrambled in a way that even the company running the service can't read it. Signal (the messaging app) is the classic example — Signal's own servers can't read your messages, they just pass sealed envelopes back and forth.

Here's the catch:

E2E only works when the service is a "dumb pipe" that never needs to read your data — it just moves sealed envelopes. OSOK Life is the opposite: it's an assistant that reads your VA claim to actually help you with your VA claim. For it to do the thing you came for, our systems have to be able to read the data you give them. That's not a corner we cut — it's the nature of any tool that processes your information instead of just relaying it.

This is true of every service in this category: ChatGPT, tax software like TurboTax, your bank's fraud detection, your doctor's patient portal. None of them are end-to-end encrypted, for the exact same reason — they have to read your data to do their job. Anyone claiming an AI assistant is "end-to-end encrypted" either misunderstands the term or is selling you something.

What we promise instead is everything above: encrypted in transit, encrypted at rest, isolated per user, deletable on demand, never sold, never mined for ads.

The AI part — where your data goes

When you talk to X-Ray (our AI assistant), your message is sent to Anthropic's Claude API to generate a response, over an encrypted connection. Anthropic does not use data submitted through their API to train their models. We send only what's needed to answer you — we don't attach your identity, your other data, or anything you didn't bring into that conversation.

What we deliberately never touch

You're in control

"Is this a scam? Are you phishing for my data?"

Fair thing to ask about any site you don't know yet. Here's the direct answer — and why the accusation is actually backwards.

You never give us your passwords. Ever.

When you connect YouTube, Twitch, or any platform, you're sent to that platform's own login page — Google's, Twitch's, the real one. You log in there, on their site, and they hand us a limited, revocable token. We never see, touch, or store your password. That's the technical opposite of phishing — phishing is a fake login form built to capture your password, and we don't have a login form for your connected accounts at all. We can't phish you; the platforms handle your credentials, not us.

And the honest heart of it: this was built by a veteran who watched ordinary people pay $200 an hour for help navigating VA claims, taxes, and forms they should have been able to handle themselves. Harvesting the data of the exact people this is meant to help would defeat the entire reason it exists.

Found something? Tell us.

If you spot a security concern, reach out through the Feedback button in the app. We take it seriously — this platform handles veterans' sensitive information, and protecting it is the whole point.

Read the full Privacy Policy →