Skip to main content
Security

How we handle your data.

Each customer has their own isolated workspace. Data is encrypted in transit and at rest. You can export everything any time. We never train models on your data.

One workspace per customer

Each business gets its own isolated vault folder. Your data never sits in a shared table next to another customer's records. The AI only ever sees one vault at a time.

Encryption

TLS 1.3 in transit on every connection. AES-256-GCM at rest with per-vault encryption keys derived via HKDF-SHA256 from a master key kept separately from the database. A breach of one vault's ciphertext does not expose another vault. HSTS preload-eligible.

Authentication

Bcrypt password hashing (cost factor 12) with 8-character minimum. JWT sessions in httpOnly + Secure + SameSite=strict cookies (never browser localStorage). Sessions revocable server-side. Email verification required before login.

Continuous security review

Automated checks block deploys when they regress: lint rules ban known-bad patterns (unparameterized SQL, unsanitized tool inputs, unguarded path templates), TypeScript strict mode, full test suite, npm audit at low severity. Periodic deep-audit rounds against the entire codebase using parallel review agents.

Access control

Role-based permissions on every API endpoint. Vault path scoping derived from the authenticated session, sanitized server-side against directory traversal. Webhook deliveries verified by signature (HMAC, Ed25519, or vendor-equivalent) before any state change. File uploads validated by magic-byte detection, not by client Content-Type.

Infrastructure

Production servers on Hetzner Cloud in Helsinki, Finland (EU jurisdiction; ISO 27001 certified; GDPR-aligned). Non-root process execution. Security headers: Strict-Transport-Security with two-year max-age + preload, X-Content-Type-Options: nosniff, Cache-Control: no-store on sensitive routes, TRACE method disabled.

Data portability

Full vault export as a ZIP file is available any time, in-app. Cancel any time and take everything with you.

Have security questions? security@opsystem.ai