Reference

Security Model

How OpsCompanion secures access to your infrastructure data.

OpsCompanion is built for enterprise security. Every integration uses scoped, read-only permissions with controls built into every workflow.

How OpsCompanion Accesses Your Systems

OpsCompanion connects to your infrastructure using provider-native authentication mechanisms:

  • AWS - Read-only IAM roles with external ID (no static access keys)
  • GCP - Workload Identity Federation (no service account keys)
  • Azure - Service principals with Reader roles, or Azure Lighthouse for cross-tenant access
  • GitHub - OAuth with read scopes
  • Vercel - OAuth with read scopes
  • DigitalOcean - OAuth with read scopes
  • Lovable, Base44 - URL-based connections (no credentials stored)

What Permissions OpsCompanion Requires

  • Read access to resource configuration
  • Read access to audit logs and change events
  • Read access to metadata and tags
  • No write, create, update, or delete permissions

What OpsCompanion Does Not Have Access To

  • Write permissions to any resource
  • Ability to create or delete infrastructure
  • Access to secrets, passwords, or API keys
  • Access to application data or database contents
  • SSH or shell access to compute instances

Current Access Model

  • All integrations use read-only access
  • Permissions are scoped to the minimum required APIs
  • You control what access is granted
  • You can revoke access at any time by removing the integration

Data Handling

  • Configuration data is encrypted in transit and at rest
  • No customer data is used for model training
  • Data retention follows your workspace settings
  • You can revoke access at any time by removing the integration

Enterprise Security Controls

OpsCompanion includes security controls designed for production-grade environments:

End-to-End Encryption

All telemetry and operational data is protected in transit and at rest across your stack.

Role-Based Access Control

Enforce least-privilege access so only the right people can trigger sensitive production actions.

Audit-Ready Trails

Maintain complete change history for compliance reviews and post-incident analysis.

Policy Enforcement

Apply guardrails automatically to prevent risky changes in production (Enterprise plan).

Compliance

We are actively working toward industry-standard compliance certifications:

SOC 2 Type II (In Progress)

We are currently undergoing the SOC 2 Type II audit process. This certification validates that our operational controls meet the standards required for production-grade security assurance, covering security, availability, and confidentiality.

HIPAA (In Progress)

We are building the safeguards and access controls required for handling sensitive health data workflows. This includes encryption standards, access logging, and data handling procedures that meet HIPAA requirements.

What's Available Today

  • All API calls are logged and auditable
  • Integration permissions are documented per provider
  • Access can be audited through provider-native audit logs (CloudTrail, Cloud Audit Logs, Activity Logs)
  • Data encryption in transit and at rest
  • Role-based access control for team management
  • Revocable integrations with immediate effect

For questions about our compliance roadmap or to request documentation, contact founders@opscompanion.ai.

AI Context

How OpsCompanion's AI agent reasons about your infrastructure and what actions it can take.

Access Model

How OpsCompanion accesses your infrastructure and what permissions are required.

On this page

How OpsCompanion Accesses Your SystemsWhat Permissions OpsCompanion RequiresWhat OpsCompanion Does Not Have Access ToCurrent Access ModelData HandlingEnterprise Security ControlsEnd-to-End EncryptionRole-Based Access ControlAudit-Ready TrailsPolicy EnforcementComplianceSOC 2 Type II (In Progress)HIPAA (In Progress)What's Available Today