Security Practices

At Opagio, we take the security of your data seriously. This page describes the technical and organisational measures we have in place to protect the information you entrust to us.

1. Infrastructure Security

The Opagio Platform is hosted on Google Cloud Platform (Firebase), which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications. Our infrastructure benefits from:

• Data centre physical security (biometric access, 24/7 monitoring, environmental controls).
• Network security (firewalls, intrusion detection, DDoS protection).
• Automated infrastructure patching and vulnerability management.
• Redundant storage with automated backups.

2. Encryption

All data is encrypted both in transit and at rest:

• In Transit: All connections to opag.io use TLS 1.2 or higher. We enforce HTTPS across the entire platform with HSTS (HTTP Strict Transport Security) headers.
• At Rest: All data stored in our databases and file systems is encrypted using AES-256 encryption managed by Google Cloud.

3. Application Security

Our application layer implements multiple security controls:

• Authentication: Managed by Supabase Auth with support for email/password and SSO. Session tokens are short-lived with automatic refresh rotation.
• CSRF Protection: All state-changing requests are protected against cross-site request forgery.
• Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks.
• Rate Limiting: All API endpoints are rate-limited to prevent abuse and brute-force attacks.
• Input Validation: All user input is sanitised and validated server-side. Database queries use parameterised statements to prevent SQL injection.
• Security Headers: We deploy comprehensive HTTP security headers including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

4. Access Control

• Principle of least privilege applied to all internal systems.
• Role-based access control (RBAC) within the Platform.
• Production environment access restricted to authorised personnel only.
• API keys and secrets managed through environment variables, never stored in source code.
• Secret rotation on a regular schedule (minimum every 90 days).

5. Development Security

• All code changes go through peer review before deployment.
• Automated CI/CD pipeline with security checks, linting, and testing.
• Dependency vulnerability scanning (npm audit) on every build.
• Test and production environments are completely separated.
• No customer data is used in test environments.

6. Incident Response

We maintain a documented incident response plan that includes:

• Defined severity classification (P1 critical through P4 low).
• Assigned incident response roles and escalation procedures.
• 24-hour client notification for data breaches (per our DPA).
• 72-hour notification to the ICO for qualifying personal data breaches.
• Post-incident review and remediation tracking.

Annual tabletop exercises are conducted to test our incident response readiness.

7. Data Protection

• Automated daily backups with tested restoration procedures.
• Data retention policies enforced programmatically (see our Privacy Policy for specific periods).
• Secure data deletion procedures including removal from backups within 90 days of account termination.
• Data export available in machine-readable formats (JSON, CSV) on request.

8. Compliance and Certifications

9. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our Service, please report it to security@opag.io.

We commit to:

• Acknowledging your report within 3 business days.
• Providing an initial assessment within 10 business days.
• Not pursuing legal action against good-faith security researchers.

For our full responsible disclosure policy, see /.well-known/security.txt.

10. Contact

Security team: security@opag.io

Privacy matters: privacy@opag.io

Opagio Ltd, registered in England & Wales, company number 13050381.