IQOpsIQ
Home
Features
OpsIQ platformChoose the surface you want to improve.Every feature shares one customer timeline, one AI memory, and one operations layer.
View all
AI-First CRMPipeline, four AI agents, deal coaching, forecasting and a Trust Dial.Client Chat AICustomer-facing AI chat, handoff, identity, knowledge, and support flows.Promotion StudioPop-ups, bars and campaigns — visual builder, targeting, A/B, lead capture.Site IntelligenceCrawls, rank tracking, backlinks, competitors and an AI SEO analyst.Admin AI ChatAI command center for teams, decisions, and safe admin actions.Surveys & CSATCSAT, NPS and feedback intelligence — post-resolution prompts, AI analysis and detractor recovery.Ticket SystemDepartments, SLA, routing, rich replies, attachments and Inbox Copilot.AI AnalyticsVisitor intelligence, live sessions, geography, leads, and conversion insight.Consent & GDPRCookie-consent studio that enforces, plus a consent ledger and DSAR.OpsIQ WritingAI replies, ticket drafts, article writing, announcements, and support content.Webhooks & ActionsTriggers, action endpoints, HMAC signing, and developer automation.Email ChannelInbox-to-ticket, AI email replies, transactional + broadcast, SPF/DKIM.Security2FA, OIDC SSO, SCIM, blocking, audit and safe access.Remote SitesConnect websites and platforms into one OpsIQ intelligence workspace.IntegrationsWHMCS, Stripe, Shopify, WordPress, Slack, Zendesk, webhooks and custom connectors.
SolutionsPricingDevelopersContact
Log inStart free
HomePublic overviewPricingPlans and value
Product surfaces
All features AI-First CRM Client Chat AI Promotion Studio Site Intelligence Admin AI Chat Surveys & CSAT Ticket System AI Analytics Consent & GDPR OpsIQ Writing Webhooks & Actions Email Channel Security Remote Sites
Use casesSolutionsRole and workflow pathsCustomer storiesProof from teamsIntegrationsConnect your stack
ResourcesDevelopersAPI and webhook toolsDocsGuides and referencesFAQsCommon answersContactTalk to the team
Company and trustAboutCompany profileTrust centerSecurity postureSecurityControls and accessCompliancePolicies and auditsStatusSystem health
Log in Start free
Trust

Compliance

How OpsIQ approaches data protection, security, AI governance and regulatory readiness — and how to request the documentation your team needs. We tell you exactly what we are aligned to today and what is still on the roadmap.

Effective July 16, 2026Version 2026.06Reviewed by OpsIQ Security
RelatedTrust CenterDPAPrivacySecurity
GDPR Aligned CCPA Aligned SOC 2 In progress ISO 27001 In progress

Security by design

AES-256, TLS 1.3, HMAC-SHA256 webhooks, per-tenant isolation, RBAC, 2FA, OIDC SSO and audit logs.

Privacy aligned

GDPR, UK GDPR and CCPA/CPRA aligned today, with a DPA, SCCs and EU residency available.

Governed AI

No training on your data, you choose the provider, and consequential actions gate for human approval.

Honest roadmap

SOC 2 Type II and ISO 27001 are in progress — clearly marked, never claimed before they are earned.

Plain-English compliance. OpsIQ is engineered so that privacy, security and AI governance are defaults, not add-ons. Below is our honest, current posture: what we are aligned to today (GDPR, UK GDPR, CCPA/CPRA, ePrivacy) and what is still in progress (SOC 2 Type II, ISO/IEC 27001). We never claim a certification we do not hold.

On this page
1Our approach to compliance2GDPR & UK GDPR3CCPA / CPRA4ePrivacy & cookies5Data processing & SCCs6Security program7Responsible & governed AI8Data residency & retention9Sub-processors10Breach response & notification11Self-hosted compliance posture12Accessibility13Certifications & roadmap14Vulnerability disclosure15Audit & documentation requests16Contact↑ Back to top

1Our approach to compliance

In short: Privacy and security are built into the product. We are aligned with GDPR, UK GDPR and CCPA/CPRA today, and we are honest about what is still in progress.

OpsIQ, operated by Nabtech Digitalnet Limited, is built so that privacy and security are part of the product, not an afterthought. As an AI operating layer handling chat, ticketing, CRM, analytics, promotions, surveys, consent and AI actions on our customers' behalf, we hold ourselves to the standards our customers are accountable for.

Our philosophy is simple: say only what is true. We are aligned with the GDPR, UK GDPR and CCPA/CPRA today. Formal attestations such as SOC 2 Type II and ISO/IEC 27001 are in progress, and we will never present them as achieved before they are. For the underlying detail, see our Trust Center, Security page, Privacy Policy and Data Processing Addendum.

2GDPR & UK GDPR

In short: OpsIQ acts as your data processor; you are the controller. A DPA with SCCs is available, and the platform has self-serve export and deletion for data-subject rights.

OpsIQ is designed to support compliance with the EU GDPR and the UK GDPR. For our customers' end-user data, OpsIQ acts as a data processor and the customer is the controller.

  • Roles: the customer (controller) decides the purposes and means of processing; OpsIQ (processor) acts on documented instructions through the Data Processing Addendum. For our own website and account data we act as controller, as described in the Privacy Policy.
  • Lawful bases: the controller determines the lawful basis for end-user data; for our own controller activities we rely on contract, legal obligation, legitimate interest and consent.
  • Data-subject rights (DSARs): the platform provides self-serve export and deletion so customers can fulfil access, rectification, erasure and portability requests for their end users.
  • International transfers: we rely on EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum — see DPA — with EU/UK data hosted in EU regions by default.

3CCPA / CPRA

In short: For California residents OpsIQ is a Service Provider. We do not sell and do not share personal information, and we support all consumer rights requests.

For California residents' personal information processed on a customer's behalf, OpsIQ acts as a Service Provider under the CCPA as amended by the CPRA. We:

  • Do not sell and do not share personal information as those terms are defined under the CCPA/CPRA;
  • Process personal information only for the limited business purpose of providing the Services;
  • Support consumer rights requests — to know, delete, correct and opt-out — through the platform's export and deletion tools.

The relevant Service Provider terms are set out in the Data Processing Addendum.

4ePrivacy & cookies

In short: OpsIQ ships its own consent platform. When a visitor declines analytics, capture truly stops at the data layer — not just in the UI.

OpsIQ supports compliance with the ePrivacy Directive and cookie-consent requirements. Our own cookie-consent product enforces visitor choices at the data layer: when analytics is declined, capture genuinely stops rather than merely hiding a banner.

  • Granular categories: admins define cookie categories and what is treated as strictly necessary.
  • Real enforcement: declined categories switch off the corresponding capture, end to end.
  • Group-domain sharing: consent can be shared across a defined family of domains for agencies and multi-brand operators.

See the Cookie Policy and the Consent overview for how this works in practice.

5Data processing & SCCs

In short: A signed DPA is available on request. It incorporates EU SCCs and the UK IDTA, and lists sub-processors and their regions in its annexes.

Our Data Processing Addendum governs how OpsIQ processes personal data on your behalf. It is incorporated into the agreement, and a signed counterpart is available on request.

  • Standard Contractual Clauses: the EU SCCs and the UK International Data Transfer Addendum (IDTA) cover transfers of EU/UK personal data to third countries.
  • Documented instructions: OpsIQ processes personal data only on the controller's documented instructions.
  • Annexes: the DPA annexes describe the categories of data, processing purposes, security measures and the authoritative sub-processor list with regions.

6Security program

In short: AES-256 at rest, TLS 1.3 in transit, HMAC-SHA256 webhooks, per-tenant isolation, RBAC, audit logs, secrets outside the web root, login lockout, 2FA and OIDC SSO.

Our security program covers the technical and organisational measures that protect customer data:

  • Encryption: AES-256 at rest, TLS 1.3 in transit.
  • Webhook integrity: HMAC-SHA256 signatures on every webhook delivery.
  • Tenant isolation: per-tenant data isolation, with per-tenant encryption keys on the Cloud platform.
  • Access control: role-based access control (RBAC) with least-privilege administration.
  • Authentication: two-factor authentication (2FA) and OIDC single sign-on (SSO); failed-login lockout and IP blocking against brute-force attempts.
  • Secret hygiene: secrets and configuration held outside the web root.
  • Audit logging: per-action audit logs of security-relevant operations.
  • Secure SDLC: security considered through design, code review and release, with dependency hygiene and remediation of identified issues.

Full details are in the Trust Center and on the Security page.

7Responsible & governed AI

In short: We never train on your data, you choose the model and provider, and consequential AI actions can be gated for human approval via the Trust Dial.

OpsIQ takes a deliberate, governed approach to AI:

  • No training on your data: we do not train AI models on customer or end-user data.
  • You choose the model and provider: AI inference is forwarded to the provider you select (Anthropic, OpenAI, Gemini, Grok, or a self-hosted model), carrying only the live context required to respond.
  • Action approval gating: the Trust Dial lets you require human approval before the AI takes consequential actions, so nothing significant happens unsupervised.
  • Human oversight: AI output may be inaccurate or incomplete and is not warranted; a human can review and override it before it is relied upon for important decisions.

8Data residency & retention

In short: EU hosting is available by default for Cloud; Self-Hosted gives you total control. Retention is customer-controlled, with a master setting where 0 means keep forever.

Residency. For Cloud customers, EU/UK data can be hosted in EU regions by default. Self-Hosted customers run OpsIQ on their own infrastructure and therefore control data residency entirely.

Retention is customer-controlled. A workspace-level master retention setting governs how long logs and end-user data are kept, with per-area inheritance; a value of zero means "keep forever" where the customer requires it.

  • Active data: retained per your retention settings; deletions are honoured by automated purges.
  • Backups: rotated on a cycle (typically 30 days); deletions propagate within that window and are not restored afterwards.
  • Post-termination: a 30-day export window, then deletion of active data and purge from backups on the rolling cycle (see the DPA).

9Sub-processors

In short: A small, vetted set of sub-processors with terms no less protective than our DPA. Customers get prior notice of material changes and may object.

We engage a small, vetted set of sub-processors — cloud infrastructure, payments, AI inference, email delivery and CDN. For each, we maintain data-protection terms no less protective than our own DPA, and we remain responsible to customers for their performance.

Customers receive prior notice of material changes to the sub-processor list and may object on reasonable data-protection grounds. The authoritative list, including regions, is published with the Privacy Policy and in the DPA annexes.

10Breach response & notification

In short: We detect, contain and respond to incidents, and notify affected customers without undue delay with the detail they need to meet their own obligations.

We maintain procedures to detect, contain and respond to security incidents. In the event of a personal data breach affecting customer data, OpsIQ will notify the affected customer without undue delay and provide the information needed to support the customer's own notification obligations to authorities and data subjects. The full process is described in the DPA.

Keep your account's security contact current so notifications reach the right people. You can reach our team at security@opsiqai.com.

11Self-hosted compliance posture

In short: On Self-Hosted, you control the infrastructure and the data. Residency, retention and which AI features are enabled are entirely in your hands.

Self-Hosted OpsIQ shifts the compliance posture toward the customer: you control the infrastructure and the data. This is often the right fit for teams with strict residency, retention or air-gap requirements.

  • Residency: data lives wherever you deploy OpsIQ — you decide.
  • Retention: the master retention setting and per-area inheritance run on your infrastructure under your control.
  • AI control: you choose the model/provider and may disable features such as AI auto-actions where your obligations require it.
  • Boundary of responsibility: you are responsible for the security and compliance of the environment you operate; we provide the software and security guidance.

Review your specific obligations with counsel before deployment.

12Accessibility

In short: We target WCAG 2.1 AA as an ongoing best-effort goal. If you hit a barrier, tell us and we will work to fix it.

We aim to make OpsIQ interfaces usable by everyone and target conformance with the Web Content Accessibility Guidelines (WCAG 2.1 AA) as an ongoing, best-effort goal. Accessibility is an area of continuous improvement; if you encounter a barrier, contact compliance@opsiqai.com and we will work to address it.

13Certifications & roadmap

In short: Honest status: GDPR, UK GDPR and CCPA/CPRA aligned today. SOC 2 Type II and ISO 27001 are in progress — we do not claim them, and we promise no dates.

We are honest about where we stand. OpsIQ has built its security program around the control objectives that frameworks such as SOC 2 and ISO/IEC 27001 require — but we will never claim a certification we do not hold.

FrameworkStatus
EU GDPRAligned — supported today
UK GDPRAligned — supported today
CCPA / CPRAAligned — Service Provider terms in the DPA
ePrivacy / cookiesAligned — built-in consent enforcement
SCCs / UK IDTAAligned — incorporated in the DPA
SOC 2 Type IIIn progress — roadmap; not yet held, no date promised
ISO/IEC 27001In progress — roadmap; not yet certified, no date promised
WCAG 2.1 AAIn progress — ongoing best-effort target
  • SOC 2 Type II: a formal SOC 2 examination is on our roadmap and in progress. We do not currently claim a completed SOC 2 report.
  • ISO/IEC 27001: alignment with ISO 27001 controls is part of our security program; formal certification is a roadmap item and is not yet held.

We will update this page and notify customers as these milestones are achieved — without promising dates we cannot guarantee.

14Vulnerability disclosure

In short: Found a security issue? Report it to security@opsiqai.com. We acknowledge reports and ask for good-faith, coordinated disclosure.

We welcome reports of suspected security vulnerabilities. If you believe you have found an issue in OpsIQ, please email security@opsiqai.com with enough detail for us to reproduce it.

  • Acknowledgement: we will acknowledge legitimate reports and work to validate and remediate confirmed issues.
  • Good faith: please act in good faith, avoid privacy violations and service disruption, and do not access or modify data that is not yours.
  • Coordinated disclosure: give us a reasonable window to remediate before any public disclosure.

15Audit & documentation requests

In short: Request our DPA, security documentation, sub-processor details or other compliance materials from compliance@opsiqai.com.

To request our DPA, security documentation, sub-processor details, completed security questionnaires or other compliance materials, contact compliance@opsiqai.com (or security@opsiqai.com for security-specific questions).

Related resources: Trust Center · Security · Data Processing Addendum · Privacy Policy · Cookie Policy · Consent.

16Contact

In short: Compliance: compliance@opsiqai.com · Security: security@opsiqai.com · Data protection: dpo@opsiqai.com.

For compliance, privacy and data-protection matters, reach the right team directly:

  • Compliance: compliance@opsiqai.com
  • Security & vulnerability reports: security@opsiqai.com
  • Data Protection Officer: dpo@opsiqai.com

OpsIQ is operated by Nabtech Digitalnet Limited — www.nabtech.co.

This document is provided for transparency and does not constitute legal advice. Customers in regulated industries should review it with their own counsel before deployment.

Need a hand?

Questions about this policy?

Our team is happy to clarify anything on this page — reach out any time.

Contact us Trust Center
IQOpsIQ

AI-first operations, customer support, licensing, and analytics for modern software teams.

TrackingAI SupportAutomationAnalyticsWebhooksTickets
Stay in the loop

A short, founder-written email — every couple of weeks. No fluff, unsubscribe anytime.

Product
All Features→AI CRM→Client Chat AI→Admin Chat AI→OpsIQ Writing→AI Analytics→Visitor Intelligence→AI Actions→
Operations
Tickets→Email Channel→Promotion Studio→Site Intelligence→Consent & GDPR→Sales Bridge→Webhooks→Surveys→Remote Sites→
Use cases
Solutions→Customer stories→Integrations→Compare→Pricing→
Resources
Developers→Docs→FAQs→Contact→Roadmap→Status→
Company
About→Partners→Brand kit→Trust center→Security→Compliance→
Legal
Privacy→Terms→Acceptable use→DPA→Refunds→Cookies→
OpsIQ © 2026 Nabtech Digitalnet Ltd. All rights reserved. All systems operational
Display currency
$USDUS Dollar₦NGNNigerian Naira€EUREuro£GBPBritish Pounds
Verify License Privacy Terms