Security is core to how we build

All data transmitted between your browser and OpsConductor is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption via Supabase managed infrastructure. This includes account data, agent configurations, OAuth tokens, and activity logs.

OpsConductor uses Supabase Auth for user authentication. Sessions are managed via short-lived JWT tokens with automatic refresh. Passwords are hashed using bcrypt and are never stored in plaintext. Magic link and OAuth-based login flows are supported for passwordless access.

OAuth tokens for connected integrations (Gmail, Slack, HubSpot, GitHub, Stripe, Linear, Notion) are stored in the database with row-level security (RLS) policies. Tokens are never exposed to the client-side application. Token refresh is handled server-side, and tokens are immediately deleted when an integration is disconnected.

All database tables are protected by row-level security (RLS) policies. Workspace isolation ensures that users can only access data within their own workspace. Role-based access control (Admin, Operator, Viewer) restricts what actions each team member can perform. Cross-workspace data access is not possible by design.

If you discover a security vulnerability in OpsConductor, we ask that you disclose it responsibly. Please report any security issues directly to security@opsconductor.io. Do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them. We commit to acknowledging reports within 48 hours and providing a timeline for resolution.