Security is not a feature. It is the product.
OpsFox builds security tools trusted by engineering teams to protect their most critical assets. That responsibility starts with how we protect ours. This page documents the security practices, certifications, and commitments that govern how Sentinel and Farsight operate.
Infrastructure Security
OpsFox runs on hardened AWS infrastructure with defense-in-depth at every layer. All data is encrypted at rest using AES-256 and in transit via TLS 1.3. Services operate within isolated VPCs with strict network segmentation, and access to production systems requires multi-party approval through our privileged access management system.
- AES-256 encryption at rest across all data stores
- TLS 1.3 enforced for all data in transit
- VPC isolation with private subnets and no public-facing databases
- Infrastructure as Code with automated security policy enforcement
Data Protection
We treat your source code as the most sensitive asset in your organization. Sentinel and Farsight analyze code in ephemeral, sandboxed environments. Source code is never persisted after analysis completes. Only findings metadata and remediation context are stored, encrypted, and scoped to your tenant.
- Source code is never stored -- analysis runs in ephemeral containers
- Findings metadata encrypted per-tenant with isolated key material
- Customer data logically isolated with strict tenant boundaries
- Data residency options available for EU, US, and APAC regions
Access Control
Every authentication and authorization decision in OpsFox follows the principle of least privilege. We support enterprise-grade identity federation so your team manages access through the identity provider they already trust, with full audit visibility into every action taken on the platform.
- SSO and SAML 2.0 integration with all major identity providers
- Role-based access control with granular permission scoping
- Multi-factor authentication enforced for all accounts
- Immutable audit logging of every authentication and authorization event
Compliance
OpsFox maintains rigorous compliance certifications and undergoes regular third-party audits to validate our security controls. Our compliance program is designed to meet the requirements of security-conscious organizations across regulated industries.
- SOC 2 Type II certified with annual audit cycle
- ISO 27001 certification in progress
- GDPR compliant with Data Processing Agreements available
- CCPA compliant with documented data handling practices
Vulnerability Management
We hold ourselves to the same standard we set for our customers. Our own infrastructure and applications are continuously scanned using Sentinel, and we maintain strict SLAs for remediation. Security researchers are welcome to test our defenses through our responsible disclosure program.
- Continuous automated scanning of all OpsFox infrastructure
- Critical vulnerabilities triaged and patched within 24 hours
- Responsible disclosure program with defined safe harbor policy
- Regular third-party penetration testing by independent firms
Incident Response
OpsFox maintains a documented and rehearsed incident response plan with clear escalation paths and communication protocols. Our on-call security engineering team provides rapid initial response, and affected customers are notified through established channels with full transparency.
- Documented IR plan tested through regular tabletop exercises
- 1-hour initial response SLA for confirmed security incidents
- Real-time platform status available at status.opsfox.com
- Post-incident reports shared with affected customers within 72 hours
Found something? Tell us.
We believe security is a shared responsibility. If you discover a vulnerability in any OpsFox product or infrastructure, we want to hear from you. We commit to working with researchers in good faith, responding promptly, and recognizing contributions that help us improve.
- Report vulnerabilities to security@opsfox.com with a detailed description and reproduction steps
- Allow a reasonable timeframe for us to investigate and remediate before public disclosure
- Do not access, modify, or delete data belonging to other users during your research
- We will not pursue legal action against researchers acting in good faith under this policy
Questions about our security practices?
Our security team is available to discuss compliance requirements, provide documentation, or answer questions about how OpsFox protects your data.