Legal · Security

Security

Last updated · June 4, 2026 · v1.0

This Security Policy describes how OpsNGIN ("OpsNGIN," "we," "us," "our") protects the OpsNGIN platform and related services (the "Services") and the data they handle. It complements our Privacy Policy, Data Processing Agreement, and Sub-Processor list.

OpsNGIN is an autonomous AI infrastructure operations platform. Because the Services operate on customer-authorized infrastructure, security is a foundational design requirement of the platform. This policy explains the controls we apply and the responsibilities we share with you.

1. Our approach

We design the Services around a small number of principles: encrypt data everywhere, grant the least privilege necessary for the shortest time necessary, log what happens, keep customers' data isolated, and keep a human able to intervene. The sections below describe how each is implemented.

2. Data protection

  • Encryption in transit. All connections to the Services, and all connections the Services make to your infrastructure, are protected with TLS. Web traffic is served over HTTPS.
  • Encryption at rest. Customer infrastructure data and account data that we store are encrypted at rest using industry-standard encryption (for example, AES-256).
  • Backups. Backups of Customer Data are encrypted and stored in object storage. Deletion timelines (active systems within 30 days, backups within 90 days, unless retention is legally required) are set out in the Privacy Policy and DPA.
  • Key management. Encryption keys are managed using our propitory vault service with restricted access.

3. Privileged access to your infrastructure

This is the highest-sensitivity area of the Services, and we treat it accordingly.

  • Brokered access. Privileged access to your infrastructure is established through a hardened access broker rather than through standing, shared, or long-lived credentials.
  • Just-in-time, time-bound. The broker issues just-in-time credentials with a limited time-to-live, after which access expires automatically.
  • Least privilege. Access is scoped to what a given operation requires, on a least-privilege and need-to-know basis.
  • Credential handling. Credentials and secrets used to reach your infrastructure are stored encrypted and are not exposed in logs or audit records.
  • Session records. Privileged sessions are recorded — who initiated them, when, the time-to-live granted, and what was accessed — and are available to you.

4. Action safety and AI accountability

Because OpsNGIN can execute actions, control over those actions is a security control.

  • Command classification. Actions are classified by type (read, write, execute, install, reboot) and handled according to your configuration.
  • Autonomy tiers. You choose the autonomy tier (Approval / Trusted / Closed Loop) that governs whether an action requires human approval before execution.
  • Verification and rollback. The Services verify the outcome of actions and support rollback where an action did not produce the expected result.
  • Audit logs. Proposed and executed actions, the evidence considered, and verification records are recorded and made available to you for review, incident analysis, and your own audit needs.

5. Human access to customer data

OpsNGIN personnel do not access Customer Data except to provide requested support, to investigate or remediate a security or operational issue, to comply with a valid legal obligation, or with your explicit authorization. Such access is limited to the minimum data and personnel needed, granted on a least-privilege basis, time-bound where possible, and logged. Most operations run automatically without any human reading your data. This mirrors Section 10 of the Privacy Policy.

6. Application and platform security

  • Authentication. We use passwordless magic-link sign-in for confirmed subscribers; we do not store passwords for these accounts. Sign-in tokens are short-lived.
  • Tenant isolation. Customer operational context and data are logically segregated per account.
  • Secure development. Changes to the Services follow a controlled development and deployment process, including code review and dependency management.
  • Hardening. Production systems are configured to reduce attack surface and are kept up to date with security patches.

7. Network and infrastructure security

  • The Services run on reputable cloud and infrastructure providers (see the Sub-Processor list).
  • Public pages are fronted by a CDN with edge protection.
  • Internal network access between components is restricted to what each component requires.

8. Logging, monitoring, and audit

  • Privileged sessions and executed actions are logged and available to you.
  • Audit records are protected from unauthorized modification through access controls, and are retained according to the retention schedule configured for the Services.
  • We maintain operational logging and monitoring of the Services to detect and respond to security and availability events.
  • Administrative access to production systems by our personnel is restricted and monitored.

9. Vendor and sub-processor security

We engage a limited set of sub-processors to deliver the Services. Each is bound by a written agreement requiring appropriate security measures and prohibiting use of Customer Data for the vendor's own purposes, including model training. Cloud AI providers used for hard diagnostics process requests only to return a result and do not use the content to train their models, on the API tiers we use. Our sub-processors are listed at the Sub-Processor list.

10. Incident response and breach notification

We maintain documented procedures for identifying, containing, investigating, remediating, and learning from security incidents. If a Personal Data Breach affecting Customer Data occurs, we will notify affected customers without undue delay and provide the information reasonably available to help you meet your own notification obligations, as set out in our DPA. Where the law requires, we will also notify the relevant supervisory authority.

11. Vulnerability disclosure (responsible disclosure)

We welcome reports from security researchers and customers.

  • How to report. Email admin@opsngin.ai with enough detail to reproduce the issue.
  • Acknowledgment. We acknowledge security reports within 5 business days and keep reporters informed of remediation progress where appropriate.
  • Safe harbor. If you make a good-faith effort to comply with this policy during your research, we will not pursue or support legal action against you for that research, and we will work with you to understand and resolve the issue quickly.
  • Please do. Give us reasonable time to remediate before public disclosure; only interact with accounts you own or have permission to test; and avoid actions that could harm data, availability, or others' privacy.
  • Please do not. Access, modify, or delete other users' or customers' data; run denial-of-service or volumetric tests; perform social engineering or physical attacks; or use automated scanning that degrades the Services.

We do not currently operate a paid bug-bounty program; this is a coordinated disclosure policy. [Update if/when a bounty exists.]

12. Compliance and certifications

We maintain administrative, technical, and organizational safeguards appropriate to the sensitivity of the data we handle, and we honor the data-protection obligations described in our Privacy Policy and DPA. We expect to pursue additional formal certifications and independent assessments (such as third-party penetration testing and recognized security attestations) as the platform matures, and we will publish their status here when available.

13. Shared responsibility

Security of the Services is a partnership. OpsNGIN is responsible for the security of the platform as described above. You are responsible for:

  • ensuring you have the rights and authority to connect the infrastructure, systems, and data you connect, and that doing so is lawful (see Section 4 of the Privacy Policy and the authorization terms in your agreement);
  • configuring access scope and the autonomy tier appropriately for your risk tolerance;
  • safeguarding your own account, users, and any credentials you control;
  • reviewing the audit records the Services make available to you; and
  • securing the underlying systems you operate, beyond the actions you delegate to OpsNGIN.

14. Changes and contact

We may update this policy as the Services and our practices evolve; material changes will be reflected in the "Last updated" date and, where significant, accompanied by additional notice.