Compliance
How OpsIQ approaches data protection, security, AI governance and regulatory readiness — and how to request the documentation your team needs. We tell you exactly what we are aligned to today and what is still on the roadmap.
Security by design
AES-256, TLS 1.3, HMAC-SHA256 webhooks, per-tenant isolation, RBAC, 2FA, OIDC SSO and audit logs.
Privacy aligned
GDPR, UK GDPR and CCPA/CPRA aligned today, with a DPA, SCCs and EU residency available.
Governed AI
No training on your data, you choose the provider, and consequential actions gate for human approval.
Honest roadmap
SOC 2 Type II and ISO 27001 are in progress — clearly marked, never claimed before they are earned.
Plain-English compliance. OpsIQ is engineered so that privacy, security and AI governance are defaults, not add-ons. Below is our honest, current posture: what we are aligned to today (GDPR, UK GDPR, CCPA/CPRA, ePrivacy) and what is still in progress (SOC 2 Type II, ISO/IEC 27001). We never claim a certification we do not hold.
1Our approach to compliance
OpsIQ, operated by Nabtech Digitalnet Limited, is built so that privacy and security are part of the product, not an afterthought. As an AI operating layer handling chat, ticketing, CRM, analytics, promotions, surveys, consent and AI actions on our customers' behalf, we hold ourselves to the standards our customers are accountable for.
Our philosophy is simple: say only what is true. We are aligned with the GDPR, UK GDPR and CCPA/CPRA today. Formal attestations such as SOC 2 Type II and ISO/IEC 27001 are in progress, and we will never present them as achieved before they are. For the underlying detail, see our Trust Center, Security page, Privacy Policy and Data Processing Addendum.
2GDPR & UK GDPR
OpsIQ is designed to support compliance with the EU GDPR and the UK GDPR. For our customers' end-user data, OpsIQ acts as a data processor and the customer is the controller.
- Roles: the customer (controller) decides the purposes and means of processing; OpsIQ (processor) acts on documented instructions through the Data Processing Addendum. For our own website and account data we act as controller, as described in the Privacy Policy.
- Lawful bases: the controller determines the lawful basis for end-user data; for our own controller activities we rely on contract, legal obligation, legitimate interest and consent.
- Data-subject rights (DSARs): the platform provides self-serve export and deletion so customers can fulfil access, rectification, erasure and portability requests for their end users.
- International transfers: we rely on EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum — see DPA — with EU/UK data hosted in EU regions by default.
3CCPA / CPRA
For California residents' personal information processed on a customer's behalf, OpsIQ acts as a Service Provider under the CCPA as amended by the CPRA. We:
- Do not sell and do not share personal information as those terms are defined under the CCPA/CPRA;
- Process personal information only for the limited business purpose of providing the Services;
- Support consumer rights requests — to know, delete, correct and opt-out — through the platform's export and deletion tools.
The relevant Service Provider terms are set out in the Data Processing Addendum.
4ePrivacy & cookies
OpsIQ supports compliance with the ePrivacy Directive and cookie-consent requirements. Our own cookie-consent product enforces visitor choices at the data layer: when analytics is declined, capture genuinely stops rather than merely hiding a banner.
- Granular categories: admins define cookie categories and what is treated as strictly necessary.
- Real enforcement: declined categories switch off the corresponding capture, end to end.
- Group-domain sharing: consent can be shared across a defined family of domains for agencies and multi-brand operators.
See the Cookie Policy and the Consent overview for how this works in practice.
5Data processing & SCCs
Our Data Processing Addendum governs how OpsIQ processes personal data on your behalf. It is incorporated into the agreement, and a signed counterpart is available on request.
- Standard Contractual Clauses: the EU SCCs and the UK International Data Transfer Addendum (IDTA) cover transfers of EU/UK personal data to third countries.
- Documented instructions: OpsIQ processes personal data only on the controller's documented instructions.
- Annexes: the DPA annexes describe the categories of data, processing purposes, security measures and the authoritative sub-processor list with regions.
6Security program
Our security program covers the technical and organisational measures that protect customer data:
- Encryption: AES-256 at rest, TLS 1.3 in transit.
- Webhook integrity: HMAC-SHA256 signatures on every webhook delivery.
- Tenant isolation: per-tenant data isolation, with per-tenant encryption keys on the Cloud platform.
- Access control: role-based access control (RBAC) with least-privilege administration.
- Authentication: two-factor authentication (2FA) and OIDC single sign-on (SSO); failed-login lockout and IP blocking against brute-force attempts.
- Secret hygiene: secrets and configuration held outside the web root.
- Audit logging: per-action audit logs of security-relevant operations.
- Secure SDLC: security considered through design, code review and release, with dependency hygiene and remediation of identified issues.
Full details are in the Trust Center and on the Security page.
7Responsible & governed AI
OpsIQ takes a deliberate, governed approach to AI:
- No training on your data: we do not train AI models on customer or end-user data.
- You choose the model and provider: AI inference is forwarded to the provider you select (Anthropic, OpenAI, Gemini, Grok, or a self-hosted model), carrying only the live context required to respond.
- Action approval gating: the Trust Dial lets you require human approval before the AI takes consequential actions, so nothing significant happens unsupervised.
- Human oversight: AI output may be inaccurate or incomplete and is not warranted; a human can review and override it before it is relied upon for important decisions.
8Data residency & retention
Residency. For Cloud customers, EU/UK data can be hosted in EU regions by default. Self-Hosted customers run OpsIQ on their own infrastructure and therefore control data residency entirely.
Retention is customer-controlled. A workspace-level master retention setting governs how long logs and end-user data are kept, with per-area inheritance; a value of zero means "keep forever" where the customer requires it.
- Active data: retained per your retention settings; deletions are honoured by automated purges.
- Backups: rotated on a cycle (typically 30 days); deletions propagate within that window and are not restored afterwards.
- Post-termination: a 30-day export window, then deletion of active data and purge from backups on the rolling cycle (see the DPA).
9Sub-processors
We engage a small, vetted set of sub-processors — cloud infrastructure, payments, AI inference, email delivery and CDN. For each, we maintain data-protection terms no less protective than our own DPA, and we remain responsible to customers for their performance.
Customers receive prior notice of material changes to the sub-processor list and may object on reasonable data-protection grounds. The authoritative list, including regions, is published with the Privacy Policy and in the DPA annexes.
10Breach response & notification
We maintain procedures to detect, contain and respond to security incidents. In the event of a personal data breach affecting customer data, OpsIQ will notify the affected customer without undue delay and provide the information needed to support the customer's own notification obligations to authorities and data subjects. The full process is described in the DPA.
Keep your account's security contact current so notifications reach the right people. You can reach our team at security@opsiqai.com.
11Self-hosted compliance posture
Self-Hosted OpsIQ shifts the compliance posture toward the customer: you control the infrastructure and the data. This is often the right fit for teams with strict residency, retention or air-gap requirements.
- Residency: data lives wherever you deploy OpsIQ — you decide.
- Retention: the master retention setting and per-area inheritance run on your infrastructure under your control.
- AI control: you choose the model/provider and may disable features such as AI auto-actions where your obligations require it.
- Boundary of responsibility: you are responsible for the security and compliance of the environment you operate; we provide the software and security guidance.
Review your specific obligations with counsel before deployment.
12Accessibility
We aim to make OpsIQ interfaces usable by everyone and target conformance with the Web Content Accessibility Guidelines (WCAG 2.1 AA) as an ongoing, best-effort goal. Accessibility is an area of continuous improvement; if you encounter a barrier, contact compliance@opsiqai.com and we will work to address it.
13Certifications & roadmap
We are honest about where we stand. OpsIQ has built its security program around the control objectives that frameworks such as SOC 2 and ISO/IEC 27001 require — but we will never claim a certification we do not hold.
| Framework | Status |
|---|---|
| EU GDPR | Aligned — supported today |
| UK GDPR | Aligned — supported today |
| CCPA / CPRA | Aligned — Service Provider terms in the DPA |
| ePrivacy / cookies | Aligned — built-in consent enforcement |
| SCCs / UK IDTA | Aligned — incorporated in the DPA |
| SOC 2 Type II | In progress — roadmap; not yet held, no date promised |
| ISO/IEC 27001 | In progress — roadmap; not yet certified, no date promised |
| WCAG 2.1 AA | In progress — ongoing best-effort target |
- SOC 2 Type II: a formal SOC 2 examination is on our roadmap and in progress. We do not currently claim a completed SOC 2 report.
- ISO/IEC 27001: alignment with ISO 27001 controls is part of our security program; formal certification is a roadmap item and is not yet held.
We will update this page and notify customers as these milestones are achieved — without promising dates we cannot guarantee.
14Vulnerability disclosure
We welcome reports of suspected security vulnerabilities. If you believe you have found an issue in OpsIQ, please email security@opsiqai.com with enough detail for us to reproduce it.
- Acknowledgement: we will acknowledge legitimate reports and work to validate and remediate confirmed issues.
- Good faith: please act in good faith, avoid privacy violations and service disruption, and do not access or modify data that is not yours.
- Coordinated disclosure: give us a reasonable window to remediate before any public disclosure.
15Audit & documentation requests
To request our DPA, security documentation, sub-processor details, completed security questionnaires or other compliance materials, contact compliance@opsiqai.com (or security@opsiqai.com for security-specific questions).
Related resources: Trust Center · Security · Data Processing Addendum · Privacy Policy · Cookie Policy · Consent.
16Contact
For compliance, privacy and data-protection matters, reach the right team directly:
- Compliance:
compliance@opsiqai.com - Security & vulnerability reports:
security@opsiqai.com - Data Protection Officer:
dpo@opsiqai.com
OpsIQ is operated by Nabtech Digitalnet Limited — www.nabtech.co.
This document is provided for transparency and does not constitute legal advice. Customers in regulated industries should review it with their own counsel before deployment.