Security

Last updated: 1 March 2026

Our Commitment

Security is a core part of how we build and operate Ops Intel. We take the protection of your business data seriously and continuously work to maintain robust defences.

Infrastructure

  • Hosting: Ops Intel runs on Railway, a managed cloud platform with enterprise-grade infrastructure.
  • Encryption in transit: All data between your browser and our servers is encrypted using TLS 1.2+.
  • Encryption at rest: Database data is encrypted at rest by our hosting provider.
  • Database: PostgreSQL 16 with connection pooling; the database is not publicly accessible.

Application Security

  • Authentication: Passwords are hashed using Django's PBKDF2-SHA256 algorithm. We support email verification on signup.
  • Session security: HTTPS-only secure cookies with HttpOnly and SameSite=Lax flags.
  • CSRF protection: All state-changing requests require a valid CSRF token.
  • Multi-tenancy: All data is isolated by tenant at the database query level — it is architecturally impossible for one tenant's data to be accessed by another.
  • Role-based access control: Four roles (Owner, Admin, Manager, Viewer) with enforced permission checks on every endpoint.
  • Secret management: API keys and secrets are stored as environment variables and never committed to source code.

Payment Security

We do not store payment card data. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We store only non-sensitive billing metadata (last 4 digits, expiry month/year).

Third-Party Sub-processors

We use a small number of vetted sub-processors. Each has appropriate security practices:

  • Stripe (payments)
  • SendGrid / Twilio (email delivery)
  • Anthropic (AI features — message content is processed but not stored)
  • Google Maps API (business data enrichment)

Responsible Disclosure

If you believe you have found a security vulnerability in Ops Intel, please report it responsibly:

  • Email: scott@opsintel.io with subject line "Security Disclosure"
  • Include a description of the vulnerability and steps to reproduce it
  • Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate

We will acknowledge your report within 3 business days and aim to resolve confirmed vulnerabilities within 30 days. We do not currently offer a bug bounty programme, but we sincerely appreciate responsible disclosures.

Incident Response

In the event of a data breach affecting your personal data, we will notify affected users and the Information Commissioner's Office (ICO) within 72 hours of becoming aware, in accordance with UK GDPR Article 33.

Questions

For security enquiries, contact us at scott@opsintel.io.