Security

Overview

OpsCommon LLC ("OpsCommon") is committed to protecting the security of your data. This page outlines the technical and organizational measures we implement to safeguard your information across our platform and infrastructure.

Infrastructure Security

OpsCommon is built on industry-leading cloud infrastructure providers, each maintaining rigorous security certifications and compliance standards. Our application is hosted on Cloudflare Workers and Pages (SOC 2 Type II, ISO 27001), with data stored in Convex (SOC 2 Type II). All core infrastructure operates within the United States on AWS-backed data centers.

We do not operate our own data centers or physical servers. By leveraging certified cloud providers, we benefit from enterprise-grade physical security, redundancy, and disaster recovery capabilities.

Data Encryption

At Rest

All data stored across our infrastructure providers is encrypted at rest using AES-256 encryption, the industry standard for data protection. This applies to database records in Convex, user identity data in Clerk, payment information in Stripe, and all other persisted data.

In Transit

All data transmitted between your browser and our services, and between our services and third-party providers, is encrypted using TLS 1.2 or higher. All endpoints enforce HTTPS exclusively. We implement HSTS (HTTP Strict Transport Security) headers with preload to prevent protocol downgrade attacks.

Application Security

We implement multiple layers of application-level security controls:

• Content Security Policy (CSP): Nonce-based strict-dynamic CSP headers prevent cross-site scripting (XSS) and unauthorized script execution.
• Frame Protection: X-Frame-Options: DENY headers prevent clickjacking attacks by blocking the application from being embedded in iframes.
• HSTS with Preload: Strict Transport Security headers with preload ensure browsers always connect via HTTPS.
• Rate Limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attempts.
• Webhook Verification: All incoming webhooks are verified using cryptographic signatures — Clerk webhooks via Svix signature verification and Stripe webhooks via HMAC signature validation.
• Audit Logging: Account-level events that touch personal data — including data exports, account deletion, organization role changes, and admin actions on member profiles — are recorded in an audit log retained for 365 days, with the actor, target, action, timestamp, and affected resource.

Data Isolation

OpsCommon enforces strict organization-scoped data isolation at the database level. Every query and mutation in our Convex backend verifies that the requesting user belongs to the organization that owns the data. This is enforced server-side through mandatory access verification functions that run before any data is read or written.

Users can only access data belonging to organizations they are members of. There is no mechanism for cross-organization data access in the standard platform.

Authentication and Access Control

Authentication is managed by Clerk, a dedicated identity provider. Clerk handles all credential storage, session management, and multi-factor authentication. OpsCommon never directly stores or processes user passwords.

• Organization-Based RBAC: Access is controlled through Clerk's organization-based role and permission system, with roles such as Administrator and Member.
• Session Management: Authentication sessions are managed via secure, HTTP-only cookies with appropriate expiration and renewal policies.
• All Clerk sub-processors are US-based, ensuring user identity data remains within the United States.

Monitoring, Error Tracking, and Product Analytics

We use Sentry for error monitoring and PostHog for product analytics. Both are gated on user consent and configured to minimize data exposure:

• Consent-Gated: Sentry's replay integration is loaded only after a user has accepted analytics, and Sentry drops every error and transaction until consent is granted. PostHog is initialized with capturing opted out by default and is opted in only after acceptance. If a user later rejects, PostHog is opted out and the locally stored distinct ID is cleared.
• Token Scrubbing: API keys and other sensitive tokens are automatically removed from Sentry exception messages, breadcrumbs, stack frame filenames, and event messages before they leave the browser.
• PII Disabled in Sentry: Automatic collection of personally identifiable information (sendDefaultPii) is disabled. Only account ID and organization ID are sent for debugging context, and console-breadcrumb arguments that could carry structured payloads are dropped.
• Error Filtering: Known non-actionable browser, extension, and third-party errors (stale chunk loads, Clerk handshake retries, geolocation prompts, expected Convex permission errors) are filtered before being sent.
• US-Based: Sentry data is processed and stored on Google Cloud Platform infrastructure in the United States. PostHog data is processed and stored in the United States.

Third-Party API Security

We take additional steps to minimize data exposure to third-party services:

• Weather Proxy: Weather data requests to OpenWeatherMap are routed through our server-side proxy. This hides API keys from the client and reduces coordinate precision to approximately 1.1km before coordinates reach the external provider.
• Mapbox Telemetry Disabled: We have disabled Mapbox performance telemetry and resource timing collection to prevent unnecessary data transmission.
• Voice Rooms: LiveKit voice connections are gated on an explicit per-feature consent. Microphone audio is transmitted live to other participants and is not recorded by OpsCommon.
• Bot Protection: Public-facing forms — support contact and feature request forms in the product, and the newsletter signup form on opscommon.com — are protected by Cloudflare Turnstile to reduce automated abuse without requiring a CAPTCHA puzzle.

Incident Response

OpsCommon maintains an incident response process for security events. In the event of a confirmed data breach affecting customer data, we will:

• Investigate and contain the incident promptly
• Notify affected customers within 72 hours of confirmation
• Provide details about the nature of the breach, data affected, and remediation steps
• Cooperate with applicable regulatory authorities as required by law
• Conduct a post-incident review and implement improvements to prevent recurrence

Responsible Disclosure

We encourage security researchers to responsibly disclose vulnerabilities. If you discover a security issue, please report it to us at [email protected]. We ask that you:

• Provide sufficient detail for us to reproduce and address the issue
• Allow reasonable time for us to respond and remediate before public disclosure
• Do not access, modify, or delete data belonging to other users
• Do not perform denial-of-service testing against our production systems

Enterprise Security Options

For organizations with advanced security requirements, we offer enterprise deployment options:

• Option A — Dedicated Database: Isolated Convex deployment with a dedicated database instance, providing complete data separation from other customers while sharing hosting infrastructure.
• Option B — Full Stack Isolation: Dedicated Cloudflare, Convex, Clerk, PostHog project, and Sentry instances, providing complete infrastructure isolation across all layers of the platform.

Contact [email protected] to discuss enterprise security requirements.

Provider Certifications

The following table summarizes the security certifications and compliance standards maintained by our infrastructure and service providers:

Contact

For security-related inquiries or to report a vulnerability, please contact us: