Security Policy

How we secure customer data.

This page summarises OpX's information security controls. The full policy is available to customers under NDA on request.

Platform hero image

Encryption

  • TLS 1.3 enforced on all external endpoints. HSTS preload-eligible policy.
  • AES-256 encryption at rest on all database volumes (AWS RDS managed by Supabase) and S3-backed object storage.
  • pgcrypto application-level encryption for sensitive credentials and tokens.
  • Backup volumes encrypted at rest using the same standard.

Access control

  • Role-based access control with multiple standard roles, segregating administration, delivery, and learner access.
  • Row-Level Security enforced on every customer-data table.
  • SECURITY DEFINER functions configured with explicit search-path settings.
  • Tenant isolation verified continuously as part of the deployment pipeline.

Authentication

  • Single sign-on via WorkOS (SAML 2.0 / OIDC). Okta, Azure AD, Google Workspace, OneLogin compatible.
  • Magic-link authentication for self-serve organisations. MFA enforced at the IdP layer for SSO customers.
  • Customer-provisioned API tokens scoped to a single tenant.

Monitoring and audit

  • Health-check Edge Function polling every 30 seconds across database, storage, auth, and email subsystems.
  • Per-tenant audit logging across data access, admin actions, authentication events, and role changes.
  • Continuous dependency vulnerability scanning with timely remediation.

Personnel

  • Production access restricted to a small group of OpX engineering personnel.
  • Access governed by Information Security Policy and Acceptable Use Policy.
  • Background checks and onboarding security training before production access is provisioned.
  • Elevated permissions issued via separate credentials, just-in-time, time-bounded, fully logged.

Incident response

  • Documented incident response process covering detection, triage, containment, eradication, recovery, and post-incident review.
  • 72-hour breach notification SOP with documented customer-communication template.
  • Annual disaster recovery test; summary results available on request.

Continuous improvement

  • ISO 27001 / Cyber Essentials Plus on certification roadmap.
  • Annual independent penetration test by a CREST-accredited (or equivalent) provider.
  • Continuous internal security validation in the SDLC: dependency scanning, static analysis, tenant-isolation regression tests, managed-platform advisor checks.

Get the full policy

The complete Information Security Policy — including control references, evidence pointers, and review cadence — is shared under mutual NDA.

Request the full Security Policy under NDA

Get the full policy

Request the Security Policy under NDA

We share the full document with active customers and qualified prospects after a mutual NDA.

Request the policy