Trust Center

Trust controls for commercial AI infrastructure.

OneAI is designed for teams that need to sell, monitor, and govern AI features. The system keeps provider access server-side, exposes request-level usage and cost, and separates intelligence from execution.

Core principle

OneAI should not behave like a blind relay. Every production call should be explainable by requestId, provider, model, token usage, estimated cost, route policy, and customer/API key ownership.

Security

Provider secrets stay server-side, customer keys are hashed, and production access should happen through customer backends.

Transparency

Every commercial call is designed to expose requestId, provider, model, tokens, latency, cost, fallback, and ownership context.

Data boundary

OneAI coordinates intelligence and records operational metadata. External executors perform actions outside the OneAI boundary.

Enterprise readiness

SLA, DPA, Privacy, invoices, terms, audit logs, and team permissions are documented for procurement review.

API key hygiene
Keys are stored hashed on the API side. Create separate keys per environment and revoke leaked keys immediately.
Usage and cost controls
Track provider, model, token usage, estimated cost, latency, and requestId for customer support.
Provider policy
Use provider/model allowlists, routing modes, fallbacks, and maxCostUsd to keep production calls controlled.
Model readiness
Model registry, catalog sync, pricing coverage, and one-model-at-a-time health checks help operators verify providers before customer traffic.
Request observability
Every commercial call can be tied back to requestId, provider, model, usage, latency, error state, and API key.
Execution boundary
OneAI returns plans, structured decisions, and coordination outputs. Direct execution stays outside the OneAI API boundary.

AI relay risks OneAI is built to reduce

The main customer concern is not only whether a model responds. It is whether routing, spend, data boundaries, and operational ownership are visible enough to trust in production.

RiskOneAI control
Hidden model routingOneAI returns provider, model, requestId, usage, latency, fallback state, and estimated cost.
Cost driftPlans, maxCostUsd, rate limits, monthly request limits, and usage dashboards keep spend visible.
Leaked keysCustomer API keys are created once, stored hashed, and can be revoked without exposing upstream provider secrets.
Unsafe executionOneAI generates intelligence and plans. Execution belongs to OneClaw, bots, customer tools, or human operators.

Trust commitments

These are the operational controls a customer should expect before running production AI traffic through a model gateway or Task Intelligence API.

Provider keys stay server-side
Customer-facing API keys never expose OpenAI, DeepSeek, OpenRouter, or other upstream provider secrets.
No blind relay positioning
Every production response is designed to include ownership metadata: requestId, provider, model, usage, latency, cost, and fallback state where available.
No execution inside OneAI
OneAI plans, coordinates, records, and verifies. External systems such as OneClaw, OpenClaw, bots, tools, or humans execute actions.
Customer keys are hashed
OneAI stores customer API key hashes, not plaintext keys. Plaintext keys are shown once at creation.
Usage is auditable
Requests, failed requests, API key events, billing events, and Agent OS execution records are logged for operational review.
Proof can be reviewed
Agent OS proof can be marked verified, needs_review, or rejected by an operator before being trusted as completed evidence.
Data handling

Clear boundaries for customer data and provider routing.

Payload storage

Request input/output can be logged for debugging and support where enabled by product policy.

Deletion path

Customer data deletion can be handled by operator request while self-serve deletion controls are expanded.

Training boundary

OneAI does not position customer API traffic as training data for OneAI-owned models. Upstream provider handling depends on the provider selected and its terms.

Retention

Operational logs are retained for billing, abuse prevention, debugging, and customer support until a formal retention window is configured.

Execution Boundary

OneAI is the intelligent coordination brain. Execution remains intentionally outside OneAI so customers can preserve approval, accountability, and operational control.

BoundaryMeaning
OneAI may doPlan, route, generate structured intelligence, create handoff contracts, record approvals, store proof/result metadata, and expose audit trails.
OneAI will not doClick buttons, log into customer tools, spend funds, post to social accounts, deploy code, move assets, or call external execution systems as the actor.
Executors doOneClaw, OpenClaw, bots, customer agents, or humans perform external actions and call back with proof and results.
Operators verifyAdmins review proof, failures, customer usage, cost, and audit events before trusting an execution as complete.
Enterprise documents

Procurement-ready trust package.

Customers evaluating OneAI for production can review the service boundary, SLA overview, DPA overview, invoice path, terms, and privacy/data handling notes before moving into an enterprise contract.

Operational recommendation

Keep secrets server-side, pass requests through your backend, set idempotency keys for retries, and monitor usage daily before increasing customer limits.

Production checklist
  • Separate prod and dev API keys
  • Set monthly budgets and maxCostUsd
  • Enable Stripe billing before paid traffic
  • Review Usage for errors and cost spikes
  • Health-check new providers before exposing them