Security

We treat your data like it’s our data.

opsnite is a compliance platform. The honest version: here is what we have built, what we are working toward, and where we will not pretend.

Our posture

What we have today.

SEC-01

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Tenant data is encrypted with per-tenant keys, AWS KMS-managed. Bring-your-own-key is on the roadmap for Enterprise.

SEC-02

Identity and access

SAML / OIDC SSO. SCIM provisioning. RBAC with fine-grained permissions and least-privilege defaults. MFA is mandatory for all opsnite personnel.

SEC-03

Audit log

Centralized audit log for every write, streamed to a tamper-evident store. Tenant admins can query the log directly.

SEC-04

Vulnerability management

Automated dependency, container, and infrastructure scanning on every deploy. Critical findings are triaged within 24 hours; remediation SLAs are tracked publicly on this page once we publish them.

SEC-05

Infrastructure

AWS-native. Per-tenant data isolation at the row + key level. Region pinning. Immutable infra; every deploy is reproducible from source.

SEC-06

We run on opsnite

Our SOC 2 audit, ISO 27001 readiness, pen test engagement, vendor register, and contract obligations all live inside the same platform we sell. The next section is the in-flight list. No external audit reports yet; we will publish them when we have them.

Trust status

We use opsnite to run opsnite.

Every compliance item is scoped, owned, and tracked in the same modules we sell. The board below is the same shape customers will see on the public Trust Portal when v1.2 ships.

Trust status · snapshot from our opsnite tenant

snapshot · built 2026-06-11 17:16 UTC · auto-refresh ships with Trust Portal

Operator legend Self-run Third-party verified Hybrid (program self-run + independent attestation)

SOC 2 Type II

Type I observationSelf-run · Independent CPA attests

Control library, evidence collection, and walkthroughs run inside our own platform. Attestation report issued by an independent CPA firm — required for SOC 2.

47 / 64controls implemented

Auditor

Engaged

Type I close

2026-07-15

Type II window

2026-Q4 → 2027-Q2

Tracking → Audit Management

Drill-down ships in Trust Portal · v1.2

ISO 27001

SoA draftedSelf-run · Accredited body certifies

ISMS, Statement of Applicability, and control library run in our GRC module. Certificate issued by an accredited certification body — required for ISO 27001.

92 / 103Annex A mapped

Cert body

Selected

Stage 1

2026-09

Stage 2

2026-12

Tracking → GRC + Statement of Applicability

Drill-down ships in Trust Portal · v1.2

Penetration testing

Internal continuous · External scheduledSelf-run internal · Third-party external

We run internal pen tests against ourselves continuously through our Pen Test module. The external test required for SOC 2 is scoped, vendor short-listed, and scheduled before the Type II window closes.

Targets

Web · API · Cloud

Methodology

OWASP + CIS

External window

Before Type II close

Tracking → Pen Test Management

Drill-down ships in Trust Portal · v1.2

Vulnerability program

Continuous program · snapshot at buildSelf-run

Continuous scanning across infrastructure and dependencies. Findings deduped and routed to the engineer who owns the asset. Run entirely on our platform.

0 / 2 / 7 / 14critical / high / med / low

Cadence

Hourly · on-deploy · weekly deep

Prioritization

EPSS + KEV

SLA

24h critical · 7d high

Tracking → Vulnerability Management

Drill-down ships in Trust Portal · v1.2

Vendor + contract management

All DPAs currentSelf-run

Every subprocessor lives in Vendor Risk with DPA, BAA, and SOC 2 expirations tracked. Contracts versioned and obligation-extracted in Contract Lifecycle.

4active subprocessors

DPA coverage

4 / 4

BAA required

0 (none today)

Next renewal

AWS · 2027-01-15

Tracking → Vendor Risk + Contract Lifecycle

Drill-down ships in Trust Portal · v1.2

Public Trust Portal

Ships with v1.2Self-run · In build

A live read-only dashboard customers can link auditors to. Built on opsnite (the trust portal is a platform feature).

Read-only public view

In build

Scheduled

v1.2 release · 2026-Q3

Until then

security@opsnite.com

Tracking → Trust Portal feature

Drill-down ships in Trust Portal · v1.2

Audit reports and full Trust Portal access available under NDA.security@opsnite.com →

We are building a compliance platform. The fastest way to make sure it works is to use it on ourselves and watch what breaks.

Subprocessors

Who we trust with your data.

SubprocessorPurpose

AWSPrimary hosting and storage

CloudflareCDN and edge security

SentryError monitoring (no PII)

AnthropicAI features (per-request, opt-in)

Material changes notified to tenant admins at least 30 days in advance.

Reporting

Found something? Tell us.

We run a coordinated disclosure program. Email security@opsnite.com with details of the issue. We acknowledge within one business day, triage within three, and aim to remediate critical findings within seven.

We do not currently run a paid bug bounty. We will publicly credit researchers who report meaningful issues (with permission).

Have a specific security question?

We answer in writing. No marketing speak, no dodging.

Email security team