Trust Centre

Built for enterprise procurement, auditable by design.

OpX is operated to ISO 27001 / Cyber Essentials Plus principles, with UK data residency, encryption-by-default, and a documented security posture available for review.

Download the security evidence pack

Procurement and InfoSec team reviewing security evidence

Trust Centre

Built for enterprise procurement, auditable by design.

OpX is operated to ISO 27001 / Cyber Essentials Plus principles, with UK data residency, encryption-by-default, and a documented security posture available for review.

Download the security evidence pack

Security posture

TLS 1.3, AES-256, RLS multi-tenant isolation, RBAC, audit logging.

Sub-processors

Nine named sub-processors with location, purpose, and transfer mechanism.

Data Processing Addendum

Standard DPA template, downloadable. UK GDPR Art. 28 compliant.

Compliance

Live: aligned to NCSC Cloud Security Principles, encryption-by-default, RLS isolation. On the roadmap: ISO 27001 and Cyber Essentials Plus — target dates in /trust/compliance.

AI policy

No customer data used to train shared AI models. Anonymised prompts, no-training contractual terms.

Availability and continuity

99.9% monthly uptime. RTO < 1 hour. RPO < 5 minutes. Annual DR test.

At a glance

Quick reference for procurement and InfoSec.

Hosting: AWS eu-west-2 (London) via Supabase managed platform
Encryption: TLS 1.3 in transit, AES-256 at rest, pgcrypto for sensitive credentials
Tenant isolation: Row-Level Security on every customer-data table; verified continuously
Authentication: SSO (SAML 2.0 / OIDC) via WorkOS; Okta and Azure AD compatible
Identity lifecycle: SCIM 2.0 via WorkOS Directory Sync (Enterprise tier)
Backup: Automated daily + 7-day point-in-time recovery
Data residency: United Kingdom
Breach notification: 72 hours from awareness
Audit log retention: ≥ 12 months via export mechanisms
Disaster recovery: Documented plan, tested annually
Sub-processors: Nine named, change notification 30 days
AI model training: Customer data never used to train shared models

Found a security issue?

Tell us — we'll fix it and credit you.

We operate a responsible disclosure programme. Email security@opx.io with details. We aim to acknowledge within 24 hours and remediate critical issues inside 14 days. Researchers acting in good faith will not face legal action.

Read the responsible disclosure policy

Procurement / InfoSec team?

Request the full security evidence pack

NDA-gated bundle including security policy, sub-processor list, architecture overview, DPA, and recent advisor verification report.

Request the pack

Customer with a security question?

Email security@opx.io

Direct route to our security team for any active customer or pilot account.

security@opx.io