Security at OpsMerge

Your documentation is encrypted with industry-leading standards. Data is protected both at rest and in transit, ensuring that sensitive information remains confidential.

• AES-256-GCM encryption for all data at rest
• Client-side encryption for sensitive fields — the server never sees plaintext values
• TLS 1.3 for all data in transit with perfect forward secrecy
• Encryption keys managed with strict access controls and regular rotation

Every organisation's data is completely isolated from every other. Our multi-tenant architecture enforces boundaries at the database level, not just the application level.

• PostgreSQL Row-Level Security (RLS) policies on all tenant-scoped tables
• Every database query is automatically scoped to the authenticated tenant
• No shared data pools — tenant isolation is enforced even if application logic is bypassed
• Regular automated testing to verify isolation boundaries

Strong authentication is not optional — it is mandatory. Every account is protected with multi-factor authentication and secure session management from day one.

• Mandatory multi-factor authentication (TOTP) for all user accounts
• Secure session management with server-side token validation
• Brute-force protection with progressive lockout and rate limiting
• Secure password hashing using modern, adaptive algorithms

Granular, role-based access controls ensure that users only see and do what they are authorised to. Permissions can be tailored at the resource level.

• Role-based access control (RBAC) with predefined and custom roles
• Resource-level permissions for fine-grained access management
• IP allowlisting to restrict access to trusted networks
• Session management with configurable timeout policies

Every significant action within OpsMerge is logged in an immutable audit trail, giving you full visibility into who did what and when.

• Immutable logging of all user actions, authentication events, and configuration changes
• 90-day retention with full searchability and filtering
• Exportable audit logs for compliance and internal review
• Tamper-evident log storage that cannot be modified after creation

OpsMerge runs on hardened, private cloud infrastructure designed for reliability, security, and performance. Our infrastructure is continuously monitored and regularly patched.

• Private cloud hosting with dedicated compute resources
• Encrypted storage volumes with automated backups
• Network segmentation with strict firewall rules and intrusion detection
• Automated patching and vulnerability management for all infrastructure components

We are committed to meeting the highest standards of data protection and regulatory compliance. Our platform is designed with privacy and security by default.

• Fully GDPR compliant with a comprehensive Data Processing Agreement
• Working toward SOC 2 Type II certification
• Data residency awareness with clear documentation of data locations
• Regular compliance reviews and gap assessments

We take a proactive approach to security through regular testing, continuous monitoring, and a responsible disclosure programme that welcomes security researchers.

• Regular penetration testing and vulnerability assessments
• Continuous dependency scanning and automated security updates
• Responsible disclosure programme for external security researchers
• Rapid response process for critical vulnerabilities with defined SLAs