Security at OpsForge
Security and privacy are part of every release. This page summarises how we protect your data, who we work with, and how to reach our security team.
Compliance
SOC 2 Type IIPlanned
On the roadmap. Audit window starts when we cross 50 enterprise customers.
GDPRIn progress
Data subject rights, consent records, and sub-processor transparency are live. Data Processing Agreement available on request; formal sign-off pending legal review.
CCPA / CPRAIn progress
Do Not Sell or Share, Global Privacy Control, and the rights to know, delete, and opt out are implemented. Final policy review pending.
PECR / ePrivacyIn progress
Cookie consent is enforced before any non-essential cookie loads, with a published cookie inventory. Final review pending.
Security controls
Encryption at rest
All data in Postgres is AES-256 encrypted at rest. BYOK keys are additionally AES-GCM encrypted at the application layer with a key never stored in the database.
Encryption in transit
TLS 1.3 enforced on every endpoint. Strict-Transport-Security with preload.
Authentication
Email + password with strong rules, OAuth (Google, GitHub, Facebook, LinkedIn, Twitter), TOTP-based MFA, and WebAuthn passkeys.
Authorisation
Postgres RLS on every table. Permission-string RBAC at the workspace level with custom roles on higher-tier plans.
Audit logs
Every privileged action is recorded in an account-level audit log (90-day retention, configurable, CSV export).
Backups
Continuous WAL backups with 7-day point-in-time recovery.
Vulnerability scanning
Dependabot for dependencies; CodeQL for source. Sentry for runtime monitoring.
Incident response
24-hour acknowledgement; 72-hour notification to affected customers when their data is impacted.
Subprocessors
Third parties that process customer data on our behalf. We notify customers of changes via the changelog.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| PostgreSQL (Managed) | Database, auth, storage | All app data | us-east-1 |
| Vercel | Application hosting | Request logs, build artifacts | Global edge |
| Stripe | Payments | Billing details | US, EU |
| Resend | Transactional email | Email + name | US |
| Sentry | Error monitoring | Stack traces, request context | US |
| Google APIs | Client asset connections | Read-only OAuth tokens for GA4, Search Console, GTM, Google Ads | Global |
| Anthropic | AI features (optional) | Only when an AI feature is enabled | US |
Documents
Report a vulnerability
If you believe you've found a security issue, please email security@opsforge.agency. We aim to acknowledge within one business day.