Security & Data Protection

Last updated: June 2026

This page summarizes how OperaGrid protects customer data. It supplements our Privacy Policy and Terms of Service.

1. Architecture

• Application: Docker containers on AWS EC2 behind nginx.
• Database: Amazon RDS (PostgreSQL), not stored on the web server disk.
• Files: Attachments stored in encrypted AWS storage volumes; optional migration to S3.
• Payments: Stripe — we never store full card numbers.

2. Network security

• Public access only on HTTP/HTTPS (ports 80/443) to the web application.
• Database port (5432) is not open to the internet — only the application server may connect.
• SSH administrative access is restricted by IP security groups.
• API documentation endpoints are disabled in production nginx.

3. Application security

• Multi-tenant isolation: each workspace (tenant) has separate data boundaries in the database.
• Passwords: bcrypt hashes only; administrators cannot read user passwords.
• Roles: management, organizer, reporter, report viewer — least-privilege by role.
• Audit log: security-relevant actions recorded for workspace admins.
• Session tokens: signed JWT with configurable expiry.

4. Data in transit & at rest

• HTTPS (TLS) required for production domains — encrypts traffic between browsers and OperaGrid.
• RDS connections use SSL (sslmode=require).
• AWS encrypts RDS storage at rest by default.

5. Backups & availability

Automated RDS snapshots and retention policies protect against infrastructure failure. Customers should export critical records if required by internal compliance.

6. Subprocessors

We use trusted providers to operate the service, including Amazon Web Services (hosting) and Stripe (billing). A Data Processing Agreement (DPA) can be provided for enterprise customers on request.

7. Incident response

If we become aware of a security incident affecting customer data, we will investigate promptly and notify affected workspace administrators as required by applicable law.

8. Your responsibilities

• Use strong passwords and limit admin accounts.
• Remove users when they leave your organization.
• Do not share workspace credentials.
• Report suspected abuse to privacy@operagrid.com.

9. Contact

Security or privacy questions: privacy@operagrid.com

Starter template for pilots. Have a qualified lawyer review before enterprise contracts or regulated industries.