Enterprise Security

Your Data Security
Is Our Priority

OpsLink security includes 95 Cerbos authorization policies, Row-Level Security on every PostgreSQL table, zero-trust Kubernetes networking, and Keycloak SSO with MFA — all running in production today.

95 Cerbos authorization policies. Row-Level Security on every table. Zero-trust Kubernetes with default-deny networking. 12 least-privilege database roles. AES-256 encrypted backups. This page describes what's actually running in production — not a roadmap.

SOC 2

Audit-Ready

GDPR

EU Data (Helsinki)

HIPAA

In Progress

95 Policies

Cerbos ABAC

RLS

Every Table

Zero Trust

Default Deny

Security Features

Comprehensive security measures to protect your business data at every level.

95 Cerbos Authorization Policies

Every API request is authorized by 95 Cerbos resource policies — the single source of truth for access control. Attribute-based (ABAC/RBAC) with fail-closed enforcement: missing context returns 401, Cerbos errors return 500, never silent pass-through. All decisions (allow and deny) logged as structured JSON.

Row-Level Security on Every Table

PostgreSQL RLS policies on every tenant table enforce data isolation at the database layer. Each policy includes a NULL guard on the tenant context — even a compromised application layer cannot read another tenant's data. JWT is authoritative for tenant_id; header must match claim or the request is rejected.

Zero-Trust Kubernetes Networking

Default-deny NetworkPolicies on every pod. Each service has explicit ingress and egress rules — no pod can communicate with another unless specifically allowed. Admin dashboards are IP-restricted and blocked from public access. Container security hardening: runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities.

Keycloak SSO with MFA

Keycloak 26 with OIDC/SAML, running in HA (2 replicas with session replication). TOTP multi-factor authentication available on all plans. Refresh token rotation enabled (single-use tokens, zero reuse). Brute-force protection with account lockout after 5 failed attempts.

Encryption & TLS Everywhere

TLS 1.3 in transit via cert-manager with auto-renewing Let's Encrypt certificates. AES-256 GPG-encrypted database backups uploaded to MinIO object storage. No TLS bypass anywhere — NODE_TLS_REJECT_UNAUTHORIZED removed, all services use CA bundles. CSRF enforcement at startup (server fails without a 32+ character secret).

Least-Privilege Database Roles

12 dedicated PostgreSQL roles — each application service uses its own least-privilege role instead of a shared superuser. Connection limits enforced per role. The original superuser account is restricted to the monitoring exporter only (2 residual connections).

What's Actually Running in Production

These are not aspirational goals — every item below is deployed and enforced on the live cluster right now.

AES-256 encrypted backups (GPG) with automated CronJob verification

Per-tenant rate limiting via Kong Gateway on every API route

8 Prometheus security alert rules (unauthorized spikes, cert expiry, backup failures)

Structured audit logging of all authorization decisions (allow + deny)

16 PodDisruptionBudgets preventing accidental service outage during maintenance

Empty JWT roles rejected — no roles means unauthenticated, never silent pass-through

Admin console blocked publicly — Keycloak admin accessible only via kubectl port-forward

IP restriction on all 9 monitoring dashboards (Grafana, Prometheus, Kafka UI, etc.)

Cerbos Policies

Dedicated DB Roles

AES-256

GPG Encrypted Backups

Helsinki

EU Data Residency

Security FAQs

Common questions about our security practices.

How is my data protected?

Three independent layers, each enforced regardless of the others. Layer 1: Authentication — Keycloak validates every JWT, rejects empty roles. Layer 2: Authorization — 95 Cerbos policies decide what you can do (fail-closed, never silent pass-through). Layer 3: Data isolation — PostgreSQL RLS ensures you only see your tenant's rows, even if layers 1 and 2 were bypassed. All decisions logged as structured JSON.

Where is my data stored?

Hetzner Cloud in Helsinki, Finland (EU). PostgreSQL 17 with 12 least-privilege database roles. Backups run as automated CronJobs, encrypted with AES-256 GPG, and uploaded to MinIO object storage. A separate verification CronJob confirms backup integrity. All infrastructure runs on zero-trust Kubernetes with default-deny networking.

Do you support Single Sign-On (SSO)?

Yes. Keycloak 26 running in HA (2 replicas with Infinispan session replication) supports OIDC and SAML 2.0 — compatible with Okta, Azure AD, Google Workspace, and others. TOTP multi-factor authentication is available on all plans. Refresh tokens are single-use (rotation enabled, zero reuse). Brute-force protection locks accounts after 5 failed attempts.

Does OpsLink have AI-specific security?

Yes. Aria and Nova operate within the same Cerbos authorization framework as the rest of the platform. Every AI query is scoped to the authenticated tenant's data via RLS. Per-tenant daily token budgets prevent runaway usage. Meeting minutes have a separate dedicated budget. The agent supervisor enforces budget checks before every LLM call.

What does "SOC 2 Audit-Ready" mean?

It means the technical controls required for SOC 2 Type II are in place and enforced — authorization policies, audit logging, encrypted backups, access controls, least-privilege roles, monitoring alerts. What we haven't done yet is engage a third-party auditor to formally certify it. The architecture is production-grade; the paperwork is pending.

Need More Information?

Our security team is available to answer your questions and provide detailed security documentation.

Last Updated: March 2026 · Written by Tahir Sheikh, Founder & CEO, OpsLink