How we handle your data.
Each customer has their own isolated workspace. Data is encrypted in transit and at rest. You can export everything any time. We never train models on your data.
One workspace per customer
Each business gets its own isolated vault folder. Your data never sits in a shared table next to another customer's records. The AI only ever sees one vault at a time.
Encryption
TLS 1.3 in transit. AES-256 at rest. HTTPS enforced on every connection. HSTS headers prevent browser downgrade.
Authentication
Bcrypt password hashing with 8-character minimum. JWT tokens in httpOnly secure cookies (never browser localStorage). Session refresh and revocation handled server-side.
20-point deployment audit
Every release runs through a 20-point security checklist covering OWASP Top 10, path traversal, injection, XSS, CSRF, and access control before it ships.
Access control
Role-based permissions on every API endpoint. Vault path scoping derived from the JWT, sanitized server-side. The AI refuses unauthorized actions and explains why.
Infrastructure
Production servers on Hetzner Cloud in Germany (GDPR aligned). Non-root process execution. Security headers: nosniff, DENY framing, XSS protection, referrer policy.
Data portability
Full vault export as a ZIP file is available any time, in-app. Cancel any time and take everything with you.
Have security questions? security@opsystem.ai