Security

Overview

OpsCommon LLC ("OpsCommon") is committed to protecting the security of your data. This page outlines the technical and organizational measures we implement to safeguard your information across our platform and infrastructure.

Infrastructure Security

OpsCommon is built on industry-leading cloud infrastructure providers, each maintaining rigorous security certifications and compliance standards. Our application is hosted on Vercel (SOC 2 Type II, ISO 27001), with data stored in Convex (SOC 2 Type II). All core infrastructure operates within the United States on AWS-backed data centers.

We do not operate our own data centers or physical servers. By leveraging certified cloud providers, we benefit from enterprise-grade physical security, redundancy, and disaster recovery capabilities.

Data Encryption

At Rest

All data stored across our infrastructure providers is encrypted at rest using AES-256 encryption, the industry standard for data protection. This applies to database records in Convex, user identity data in Clerk, payment information in Stripe, and all other persisted data.

In Transit

All data transmitted between your browser and our services, and between our services and third-party providers, is encrypted using TLS 1.2 or higher. All endpoints enforce HTTPS exclusively. We implement HSTS (HTTP Strict Transport Security) headers with preload to prevent protocol downgrade attacks.

Application Security

We implement multiple layers of application-level security controls:

• Content Security Policy (CSP): Nonce-based strict-dynamic CSP headers prevent cross-site scripting (XSS) and unauthorized script execution.
• Frame Protection: X-Frame-Options: DENY headers prevent clickjacking attacks by blocking the application from being embedded in iframes.
• HSTS with Preload: Strict Transport Security headers with preload ensure browsers always connect via HTTPS.
• Rate Limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attempts.
• Webhook Verification: All incoming webhooks are verified using cryptographic signatures — Clerk webhooks via Svix signature verification and Stripe webhooks via HMAC signature validation.
• Audit Logging: All data modifications within the platform are recorded in an immutable audit log, including the user, action, timestamp, and affected resources.

Data Isolation

OpsCommon enforces strict organization-scoped data isolation at the database level. Every query and mutation in our Convex backend verifies that the requesting user belongs to the organization that owns the data. This is enforced server-side through mandatory access verification functions that run before any data is read or written.

Users can only access data belonging to organizations they are members of. There is no mechanism for cross-organization data access in the standard platform.

Authentication and Access Control

Authentication is managed by Clerk, a dedicated identity provider. Clerk handles all credential storage, session management, and multi-factor authentication. OpsCommon never directly stores or processes user passwords.

• Organization-Based RBAC: Access is controlled through Clerk's organization-based role and permission system, with roles such as Administrator and Member.
• Session Management: Authentication sessions are managed via secure, HTTP-only cookies with appropriate expiration and renewal policies.
• All Clerk sub-processors are US-based, ensuring user identity data remains within the United States.

Monitoring and Error Tracking

We use Sentry for error monitoring and performance tracking, with multiple privacy safeguards in place:

• Consent-Gated: Sentry telemetry is only active when the user has accepted analytics cookies via our consent banner.
• Token Scrubbing: API keys and sensitive tokens are automatically removed from all error reports before they are sent to Sentry.
• PII Disabled: Automatic collection of personally identifiable information (sendDefaultPii) is disabled. Only user ID and organization ID are included for debugging context.
• US-Based: Sentry data is processed and stored on Google Cloud Platform infrastructure in the United States.

Third-Party API Security

We take additional steps to minimize data exposure to third-party services:

• Weather Proxy: Weather data requests to OpenWeatherMap are routed through our server-side proxy. This hides API keys from the client and reduces coordinate precision to approximately 1.1km before coordinates reach the external provider.
• Mapbox Telemetry Disabled: We have disabled Mapbox performance telemetry collection to prevent unnecessary data transmission.

Incident Response

OpsCommon maintains an incident response process for security events. In the event of a confirmed data breach affecting customer data, we will:

• Investigate and contain the incident promptly
• Notify affected customers within 72 hours of confirmation
• Provide details about the nature of the breach, data affected, and remediation steps
• Cooperate with applicable regulatory authorities as required by law
• Conduct a post-incident review and implement improvements to prevent recurrence

Responsible Disclosure

We encourage security researchers to responsibly disclose vulnerabilities. If you discover a security issue, please report it to us at support@opscommon.com. We ask that you:

• Provide sufficient detail for us to reproduce and address the issue
• Allow reasonable time for us to respond and remediate before public disclosure
• Do not access, modify, or delete data belonging to other users
• Do not perform denial-of-service testing against our production systems

Enterprise Security Options

For organizations with advanced security requirements, we offer enterprise deployment options:

• Option A — Dedicated Database: Isolated Convex deployment with a dedicated database instance, providing complete data separation from other customers while sharing hosting infrastructure.
• Option B — Full Stack Isolation: Dedicated Vercel, Convex, Clerk, and Sentry instances, providing complete infrastructure isolation across all layers of the platform.

Contact support@opscommon.com to discuss enterprise security requirements.

Provider Certifications

The following table summarizes the security certifications and compliance standards maintained by our infrastructure and service providers:

Contact

For security-related inquiries or to report a vulnerability, please contact us: