Skip to content
Security & compliance


AES-256 at rest. TLS 1.3 in transit. Role-based access control. Two-year audit log retention. Daily backups with point-in-time recovery. AU & NZ data residency. Formal SOC 2 / ISO 27001 certification is in progress. Not yet certified.

  • AES-256
    At rest
  • TLS 1.3
    In transit
  • 2 years
    Audit log retention
  • Daily · point-in-time
    Backups
Control status · audit-ready summary

Every claim, with current status.

What's live today and what's still in the certification queue. We don't list controls we haven't shipped.

  • AES-256 encryption at rest
    Live
    All customer data + backups
  • TLS 1.3 encryption in transit
    Live
    All API + browser traffic
  • Role-based access control
    Live
    14 predefined roles, customizable
  • Audit logging
    Live
    Every state change · 2-year retention
  • Daily automated backups
    Live
    Point-in-time recovery
  • AU & NZ data residency
    Live
    In-region hosting per domain
  • SOC 2 control posture
    In progress
    Aligned · formal certification underway
  • ISO 27001 control posture
    In progress
    Aligned · formal certification underway
Defense in depth

Four control layers, fully documented.

01Authentication

Authentication

How users prove who they are.

  • JWT-based authentication with access tokens (8hr expiry)
  • Refresh tokens with 7-day validity
  • Password security: bcrypt hashing (10 rounds)
  • Password strength validation (8+ chars, mixed case, numbers)
  • Session management with token rotation
  • Secure token storage
02Authorization (RBAC)

Authorization (RBAC)

What each authenticated user can see and do.

  • 14 predefined user roles
  • 15+ permission categories
  • View/create/edit/delete permission levels
  • Role switching for admin support
  • Granular access control
03Data protection

Data protection

How data is encrypted, stored, and isolated.

  • Input validation with Joi schemas
  • SQL injection prevention via parameterized queries
  • XSS protection with input sanitization
  • CSRF protection via origin validation
  • Rate limiting (100 req/15min for auth, 30 req/min for writes)
  • Security headers (CSP, X-Frame-Options, etc.)
04Audit & monitoring

Audit & monitoring

How activity is recorded and reviewed.

  • Complete audit trail for all API requests
  • 2-year log retention
  • Change tracking with old/new values
  • SOC2/ISO27001 audit capabilities
Architecture

Layered controls at every tier.

  • Encryption01

    AES-256 at rest. TLS 1.3 in transit. Keys rotated on a documented schedule.

  • Infrastructure02

    In-region cloud hosting (NZ for opsui.co.nz, AU for opsui.au). Network isolation per tenant.

  • Monitoring03

    Continuous logging + alerting on auth, privilege escalation, and unusual data access.

  • Backups04

    Daily automated backups with point-in-time recovery, retained per data-residency rules.

  • Incident response05

    Documented incident response procedure with on-call rotation and customer notification SLA.

  • Availability06

    99.9% uptime SLA target. Redundant components at compute, storage, and network layers.

Roadmap · public commitments

Controls we've committed to ship.

Quarters are best-effort targets, not contractual commitments. Procurement teams can request the working timeline directly.

  1. 01
    Multi-factor authentication (MFA)
    Q2 2026
    In progress
  2. 02
    Password expiry & rotation policy
    Q2 2026
    Planned
  3. 03
    Account lockout after failed attempts
    Q3 2026
    Planned

Procurement or compliance review?

We can walk you through controls, hand over the security questionnaire, and answer specific compliance asks before you sign anything. OpsUI is built for ANZ data residency, audit logging, and RBAC out of the gate.

Book a security reviewEmail [email protected]