Security · by design

AI power, with guardrails.

OpsIQ is built on one principle: an AI that can write to your business has to ask permission first. Every request is verified, every action contracted, scoped, signed, role-checked and audited. No shortcuts, no surprises, no off-policy operations.

AES-256 · TLS 1.3HMAC-SHA256 signed I/OPer-tenant isolation100% AI turns audited
Every action signed & scoped
Nothing reaches data unverified
Live Every request earns its way in. request 2FA SSO FIREWALL VAULT · tenant-sealed AUDIT LOG · APPEND-ONLY login.success · 2FA · owner sso.authorized · oidc · acme.idp action.signed · refund_invoice · ok
AES-256encryption at rest
TLS 1.3every connection
HMACSHA-256 signed I/O
100%AI turns audited
Authentication & access

Authenticate, authorize, audit.

Only the right people get in, and once they're in, every move is on the record. Each admin enables TOTP two-factor (Google Authenticator, 1Password, Authy, any RFC-6238 app); Business and Enterprise add OIDC single sign-on and SCIM auto-provisioning so joiners and leavers flow straight from your IdP. Brute-force attempts are throttled into automatic lockout, and every sign-in, permission and SCIM change is recorded.

TOTP two-factor: per-admin, with single-use recovery codes you can regenerate.
OIDC SSO & SCIM: bring your own IdP on Business+; provisioning is logged.
reCAPTCHA & lockout. Failed-login counters trigger an automatic IP lockout.
2FA challengeVerifying
Two-factor verification Enter the 6-digit code from your app 4 9 2 7 1 3 Verify & sign in
ThenRole-gated & logged
01

Authenticate

TOTP two-factor or OIDC SSO proves who's knocking. SCIM provisions and deactivates admins straight from your IdP.

02

Authorize

Owner / admin / support roles plus per-page grants mean each person reaches exactly what their job needs, nothing more.

03

Audit

Every sign-in, permission change and write (human or AI) lands in an append-only log with actor, IP, time and result.

The core controls

Four guarantees, working at once.

Every request moves through the same security choreography: prove identity, prove authority, sign the path, seal the data. The result is a platform that feels fast without ever becoming casual about access.

01

Authenticate

TOTP two-factor, OIDC SSO and SCIM joiner/leaver flows verify who is entering before any admin surface opens.

02

Authorize

Owner, admin, support and page-level grants keep every teammate inside the exact boundary their role allows.

03

Sign

Webhook traffic and API calls are scoped, HMAC-verified, replay-protected, rate-limited and tied to one workspace.

04

Audit

Every human write, AI action, permission change and security event lands in an append-only audit stream.

OpsIQ security control plane live verification
Security Events Structured Audit Failed Logins
streaming
Total events1,28474 unique IPs
Critical03review now
Warnings18last 24 hours
Audit bytes2.4mappend-only stream
Filter event, actor, IP, trace...
Severity
Customer
Apply
SeverityActor / IPEventResultTrace
CriticalAI
10.0.4.12
off_contract_action.rejected
Attempted write blocked before endpoint
Deniedtr_8fa2
WarningAva R.
102.89.x.x
webhook.signing_key.rotated
workspace key sealed and replaced
Loggedtr_3c19
InfoSCIM
Okta
admin.deactivated
directory sync removed access
Syncedtr_b771
InfoLockout
45.137.x.x
failed_login.counter.reset
bulk reset recorded by owner
Clearedtr_09de
JSON event stream · actor, IP, params, result, duration

Audit record opened

Webhook signing key rotation is preserved with actor, role, IP, timestamp, raw parameters hash, result and trace ID.

actor: Ava R.role: ownerresult: loggedhash: 9f3a...2c
Live posture

No invisible writes.

AI actions, admin changes and webhook deliveries are recorded with actor, IP, action, result and approval state.

100% AI auditedCSV exportOwner-only history12mo retention
Signed edge

Every edge call proves itself.

HMAC signatures, nonces, timestamps, scoped keys and optional IP allowlists stop forged or replayed traffic early.

Hardening

Built for bad traffic.

Failed-login lockout, IP and CIDR blocking, bot scoring, rate limits and account-takeover signals keep pressure off the core.

Tenant isolation

One tenant can never reach another's data.

Each cloud workspace has its own tenant boundary and its own encryption key. A request from one workspace cannot read, write or decrypt another workspace, even if someone is staring at the raw database.

Tenant Alphakey alpha_7f...
Tenant Beaconkey beacon_42...
Tenant Corekey core_19...
The seven layers

Security every place data lives or moves.

AI safetyEvery action is a registered contract with declared scope, roles and parameters. Risky writes need human confirmation. Off-contract output is rejected.
AuditEvery admin action, AI turn and webhook delivery, with actor, IP, time, params, result and duration. CSV export. 12-month default retention, longer for regulated loads.
HardeningIP & CIDR firewall, bot and threat scoring on visitor logs, rate limiting on every public endpoint, replay-protected gateway, account-takeover detection.
AI analystAn opt-in security analyst that reads the signals for you: verdicts on suspicious IPs, incident briefs, a daily digest and 0-token block policies. It never sits in the request path.
Incident response24/7 on-call for P0s. P0 notice within 30 minutes, P1 within 4 hours. Public RCA within five business days. Live status at /status: emailable, RSS, machine-readable.
Posture, live · responsible AI

A control plane that checks itself.

OpsIQ's AI cannot invent operations. Every action it can take is a registered contract with declared scope, roles and parameters, and anything off-contract is rejected at the brain layer before it reaches an endpoint. Risky writes always require explicit human confirmation. You choose your model (Anthropic, OpenAI, Gemini, Grok or self-hosted), and your conversations are never used to train models.

Action approval gating. Risky writes need a human confirmation.
No off-contract actions. Unknown operations are rejected at the brain layer.
Choose your model: your provider, your keys, no lock-in, no training on your data.
SECURITY POSTURE 100% Encryption · AES-256 / TLS 1.3 Two-factor enforced Webhooks HMAC-signed Audit log · append-only Per-tenant isolation Lockout & rate limiting All controls passing · GDPR / CCPA aligned
100%AI turns audited
0off-contract actions allowed
Yourmodel, keys & data
Neverused to train models
At a glance

The full security toolkit.

A complete control surface for identity, data, edge traffic, AI safety and incident response. Dense enough for a security review, polished enough for the product page.

Data protection

  • AES-256 envelope encryption at rest.
  • TLS 1.3 for every connection.
  • Secrets stored outside the web root.
  • Residency and retention controls.

Tenant boundary

  • Separate tenant keys on cloud.
  • No cross-tenant read, write or decrypt path.
  • Workspace-locked API keys and audit ownership.

Signed I/O

  • HMAC-SHA256 over raw webhook bodies.
  • Timestamp and nonce replay protection.
  • Scoped API keys with IP allowlists and rotation.

Threat defence

  • Failed-login lockout and manual release.
  • IP and CIDR firewall with session propagation.
  • Threat scoring, rate limits and login journey review.

AI safety

  • Registered action contracts only.
  • Human confirmation on risky writes.
  • No model training on your data.
  • Prompt, response, result and approver logged.

Audit and response

  • Append-only audit log with CSV and JSON export.
  • Security event filters by actor, action, IP and risk.
  • Bulk counter reset and resolved-history deletion logged.

AI security analyst

  • Verdict chips and Explain on suspicious IPs.
  • Incident briefs, daily digest and weekly posture check.
  • 0-token block policies with opt-in, guardrailed autopilot.
Security posture

Where OpsIQ stands today.

Honest status: what is live, what is aligned, and what is on the roadmap. No borrowed badges, no certification claims we do not hold.

Controls are live where they protect the product today.

The roadmap is called out separately, so security teams can see the difference between deployed controls and future certifications at a glance.

14live controls 3aligned areas 2roadmap items

Live controls

Encryption at restAES-256 sealed storage plus TLS 1.3 in transit.Live
Two-factor and SSOTOTP, recovery codes, OIDC SSO and SCIM provisioning.Live
Role-based accessOwner, admin, support and per-page permission grants.Live
Append-only auditHuman writes, AI actions, security events and exports.Live
Signed webhooks and API keysHMAC-SHA256, replay protection, scoped keys and rate limits.Live
Tenant isolationSeparate cloud tenant keys with no cross-tenant read/write path.Live
Firewall and lockoutIP/CIDR blocking, failed-login lockout and threat scoring.Live
AI security analystVerdicts, incident briefs, digest, posture check and 0-token policies. Opt-in.Live
GDPR / UK GDPR / CCPADPA, DSAR tooling, privacy controls and retention choices.Aligned
GDPR alignedCCPA alignedAES-256 at restTLS 1.3HMAC-SHA256Per-tenant isolationSOC 2 roadmapISO 27001 roadmap
Operations & defence

When something's off, you stay in control.

Know who's knocking, release a locked teammate in one click, and watch the platform guard its own health, every move logged.

IP intelligence

Every address classified and risk-scored on sight.

OpsIQ doesn't just count bad logins; it tells you what kind of address is hitting you. Each IP is classified as residential, shared, datacenter or internal, then given a 0–100 threat score from bot and takeover signals on the visitor journey. Datacenter ranges hammering your login form look very different from a customer on home broadband, and your lockout thresholds can treat them differently.

IP classification: residential, shared, datacenter or internal, surfaced on every event.
0–100 threat score: bot and account-takeover signals, anything ≥50 highlighted.
One-click ban. Block every IP on a suspicious session from a single button.
Journey timeline: every failed-login attempt replayed as its own reviewable trail.
Live IP INTELLIGENCE 86.142.10.4 RESIDENTIAL 18 45.137.21.88 DATACENTER 92 BLOCK 10.0.4.12 INTERNAL 02 Threat score ≥ 50 highlighted · 0 = trusted · 100 = hostile
Incident response

Stay in control when something's off.

When a teammate gets locked out, you release them in one click, with no waiting for a timer. Sweep active failed-login counters in bulk after an incident, search the full failed-login history to investigate, and bulk-delete stale records once it's resolved. Every release, reset and deletion is itself written to the audit log, so the cleanup is as accountable as the breach.

Manual lockout release. Clear a locked admin or IP instantly, no timer wait.
Active-counter monitoring. See every live failed-login counter at a glance.
Bulk reset & history search: sweep counters, search the full attempt history.
Bulk history deletion. Purge resolved records; the deletion is logged too.
Live FAILED-LOGIN COUNTERS admin@acme.co 5/5 · LOCKED 0/5 · released RELEASE 94.21.x.x3/5 active0/5 clear 203.0.x.x2/5 active0/5 clear Bulk reset counters Release & reset recorded audit · actor · timestamp · reason
System protection

The platform watches its own health.

Beyond the perimeter, OpsIQ guards its own integrity. A signed license check keeps the install genuine, built-in health diagnostics surface a live snapshot of the platform's vital signs, and front-end JavaScript errors are captured server-side so a broken release shows up in your dashboard instead of silently failing on a customer's screen.

License integrity. Signed validation keeps the install genuine and tamper-evident.
Health diagnostics: a live snapshot of the platform's vital signs, on demand.
JavaScript error capture. Front-end errors logged server-side, not lost on the client.
Secrets outside the web root: config and keys never served by the web tier.
Live SYSTEM HEALTH License valid signed · genuine DIAGNOSTICS JS error capture SERVER-SIDE TypeError: undefined is not a functioncheckout.js:42 · Safari 17 · captured ReferenceError: opsiq is not definedwidget.js:8 · Chrome 124 · captured Promise rejection handledapp.js:120 · Firefox 126 · captured TypeError: undefined is not a functioncheckout.js:42 · Safari 17 · captured
AI security analyst

Not just recorded. Understood.

Every other page on this list captures what happened. The opt-in AI security analyst reads those signals and tells you what they mean, what to do, and (only if you let it) does the reversible part for you. It is built to cost almost nothing: it never runs in the visitor request path, obvious cases are settled by deterministic rules with no AI call, verdicts are cached, and its best output is a plain block rule that then enforces forever at zero tokens.

The token contract

An analyst on every alert, for the price of a few cents a month.

Deterministic scoring stays the first line of defence, exactly as before. The model is only asked when it actually helps: an ambiguous IP, a fresh incident, the morning digest. Ambiguous entities batch into one call, so a wave of attackers is read together, not one request at a time. Its own monthly budget lives in AI Config, and if it is ever reached the analyst quietly falls back to deterministic reads. Blocking, lockouts and alerts never depend on it.

Zero AI in the hot path Verdicts cached 24h Own budget cap Every action audited
Live verdict AI verdict batched · cached 45.137.21.88 HOSTILE · 92% Datacenter IP · 41 failed logins · 12 account names tried. Block 24h Watch Release 86.142.10.4 BENIGN · 96% Residential · known customer · normal browsing. Served from cache · no AI call · 0 tokens

Verdict chips + Explain

Blocked IPs and Failed Logins rows get a benign / suspicious / hostile chip with a confidence score. Explain opens the reasoning, the facts used, and one-click Block or Release. Cached, so re-viewing an IP is free.

Incident briefs

Related events cluster into one story: a login wave, a URL scan, an auto-block burst. Each new incident gets a plain-English timeline and one recommended next move. Ongoing attacks fold into the same incident.

Daily digest

One recap each morning: yesterday versus your baseline, new blocks, incidents and the single thing worth doing today. On a quiet day it just says all clear, and that check costs zero tokens.

Weekly posture check

A Monday hardening checklist: admins without 2FA, a lockout threshold that looks generous against your real attack volume, alerts switched off. Each item carries a severity, an effort label and the exact fix.

Ask Security

A question box on the Security Overview. Ask why an IP was blocked or what to harden first, and it answers from your live security state. Deep server work is handed to the admin engineer chat, never guessed.

Opt-in

Policy autopilot

The analyst proposes concrete block rules as Approve / Dismiss cards that enforce at zero tokens with a live hit counter. Optional autopilot approves only the safest: reversible, time-limited, single IPs or ranges no wider than /24, never shared or mobile, capped per hour, always undoable.

It recommends and explains. It can never run wild.

The analyst suggests, clusters and (only with autopilot on) applies reversible blocks. It can never delete data, change settings, touch the audit ledger, or make a permanent ban, and every action it takes is written to the same append-only log as everything else.

0AI calls in the request path
24hverdict cache per entity
≤/24widest unattended block
100%analyst actions audited
Full feature list

Everything in Security.

Every capability, grouped. ★ marks a stand-out.

FeatureWhat it does
Authentication
Two-factor (TOTP)Per-admin RFC-6238 two-factor for Google Authenticator, 1Password, Authy or any compatible app.
Single-use recovery codesRegenerable backup codes so a lost device never locks you out for good.
OIDC single sign-onBring your own identity provider on Business and Enterprise plans.
SCIM provisioningAutomatic admin create and deactivate from your IdP; every change logged.
reCAPTCHA on loginOptional bot challenge on the sign-in form to slow automated attacks.
Hardening
Failed-login lockout ★Rolling failure counters trip an automatic IP lockout once the threshold is crossed.
IP & CIDR blocking ★Block a single address or a whole range by hand; bans propagate across a session.
IP classification ★ NEWEach address tagged residential, shared, datacenter or internal on every event.
Threat scoring0–100 bot and account-takeover score; anything ≥50 is highlighted.
Rate limitingEvery public endpoint is throttled against brute force and abuse.
Authorization
Role-based access controlOwner, admin and support roles so each person sees only what their job needs.
Per-page permission grants NEWGrant or revoke individual admin pages per teammate for fine-grained access.
Confirmation policiesPer-action gating that forces an explicit confirm step on sensitive operations.
Data protection
Per-tenant isolation ★Each cloud workspace has its own key, so no cross-tenant read or write, even with full DB access.
AES-256 at restEnvelope encryption seals every byte stored on disk.
TLS 1.3 in transitEvery connection to OpsIQ is encrypted with modern TLS.
Secrets outside the web rootConfig files and signing keys live where the web tier can never serve them.
API security
Signed webhooks ★HMAC-SHA256 over the raw body with timestamp and nonce replay protection, both directions.
Scoped API keysWorkspace-locked keys in All, Read-only or Restricted permission modes.
IP allowlist on keysRestrict a key to specific IPs or CIDR ranges so a leaked key is still useless elsewhere.
Key rotation & revocationRotate or revoke any key instantly; secret keys are never returned again after creation.
Per-hour rate limitsEach key carries its own request budget to contain abuse.
Audit
Append-only audit log ★Every human and AI write captured with actor, role, IP, time, action and result, never edited.
CSV / JSON exportHand auditors the whole trail in a portable format.
FilteringSlice the log by action, actor, date or risk to find exactly what you need.
Security eventsSign-ins, 2FA, permission and SCIM changes are all recorded as events.
Failed-login journey timeline ★Every attempt against an account replayed as its own reviewable journey.
Lockout & counter monitoring NEWSee every live failed-login counter and active lockout at a glance.
Failed-login history search NEWSearch the full history of login attempts to investigate an incident.
Incident response
Manual lockout release NEWClear a locked admin or IP in one click without waiting for a timer.
Bulk counter reset NEWSweep all active failed-login counters clear after an incident.
Bulk history deletion NEWPurge resolved failed-login records in bulk; the deletion itself is logged.
System protection
License integritySigned validation keeps the install genuine and tamper-evident.
Health diagnostics NEWA live snapshot of the platform's vital signs, on demand.
JavaScript error capture NEWFront-end errors are logged server-side instead of silently failing on a customer's screen.
AI safety
Action contracts ★The AI can only invoke registered operations with declared scope, roles and parameters.
No off-contract actionsUnknown operations are rejected at the brain layer before they reach an endpoint.
Human approval on risky writesSensitive actions always require an explicit human confirmation.
100% AI turns audited ★Every AI turn (prompt, response, result and approver) lands in the audit log.
No training on your dataLive conversation context only; your data is not used to train models.
Compliance & admin
Data residency & retentionChoose your region and set your own retention window; 0 keeps records forever.
Owner-only audit accessThe full AI history audit log is restricted to the workspace owner.
GDPR / CCPA alignmentDPA, DSAR export and delete tooling, and consent enforcement at source.
Admin user management NEWInvite, role, deactivate and audit every admin from one console.
Department management NEWOrganise teams into departments with their own access and routing.
For your security team

Common questions they will ask.

No. AI calls hit the model provider you choose (Anthropic, OpenAI, Gemini, Grok or self-hosted) with the live conversation context only. Provider standard data handling applies; most don't train on API traffic by default.
Multi-tenant cloud runs in EU and West Africa today. Dedicated cloud customers pick the region at provisioning. Self-hosted: wherever you install it.
Public keys (the shareable ones) are stored as-is. Secret keys and webhook signing secrets are AES-256 sealed with a per-install derived key, retrievable only by the tenant they belong to. They cannot be re-fetched via the API after creation, only rotated.
Yes. Account → Privacy has a self-service delete & export. Operators can also call POST /v1/customers/{id}/erase. Audit log entries about the deletion itself are retained for 12 months for compliance review.
30-day export window. After that, primary records are deleted from production; backups roll off the standard 30-day rotation; all copies are gone within 60 days of cancellation.
Yes. /.well-known/security.txt, disclosure email security@opsiqai.com, acknowledged within one business day, with a public bug-bounty for material findings. We also run an annual third-party pen-test plus continuous internal red-teaming; summary reports are available under NDA.
We will be straight with you: not yet. The underlying controls (encryption, RBAC, immutable audit, signed I/O, isolation) are in place today, and we are GDPR, UK GDPR and CCPA aligned. SOC 2 Type II and ISO 27001 are on our roadmap; we do not claim certifications we don't hold. Ask security@opsiqai.com for our current posture letter.
OIDC single sign-on and SCIM auto-provisioning are available on Business and Enterprise. Connect your identity provider, and new admins are provisioned and deactivated automatically, with every provisioning event recorded in the audit log. Self-hosted installs configure their own IdP.
The AI can only invoke registered action contracts, each with a declared scope, allowed roles and parameters. Anything off-contract is rejected at the brain layer before it reaches an endpoint, and risky writes require an explicit human confirmation. Every action it does take is recorded in the audit log with the human who approved it.