Data Security
Encryption, access controls, and provider safeguards for OpsCurb data.
Data Security
On this page
- Data Classification
- Encryption
- Authentication
- AWS Cross-Account Access
- Regulatory posture
- Data Retention
- Vendors
- Incidents
- Questions
Data Classification
| Category | What's In It | Protection |
|---|---|---|
| Highly Sensitive | Passwords, notification secrets, External IDs | Managed provider encryption, MFA available, access limited to backend systems |
| Sensitive | AWS Account IDs, IAM ARNs, scan results, cost data, emails | Encrypted at rest + in transit, row-level security |
| Public | Docs, marketing | Standard measures |
Encryption
- At rest: Managed provider encryption for the database, backups, and storage services we use
- In transit: TLS on traffic between browsers, APIs, and managed providers
- Key rotation: Managed by the underlying platform providers where applicable
Authentication
Login → Supabase Auth → JWT token → validated on every request.
Optional MFA via TOTP (Google Authenticator, Authy). Row-level security (RLS) is enforced at the database level — your data stays isolated even if there's an application bug.
AWS Cross-Account Access
We assume your IAM roles using unique External IDs. New accounts start with a core-scan role; optional features use separate optional roles. OpsCurb stores role ARNs and external IDs so accounts can be rescanned, but it does not store AWS access keys or long-lived STS credentials.
See the Permissions Matrix for the full capability mapping.
Regulatory posture
OpsCurb does not currently claim formal compliance certifications or attestations. If your organization requires specific frameworks or audits, contact support@opscurb.com before onboarding.
Data Retention
| Data | Retention |
|---|---|
| Scan results | 7 days (Free), 90 days (Growth), 1 year (Scale), custom (Enterprise) |
| Account data | Until deletion |
| Audit logs | 1 year |
| Backups | 30 days |
Vendors
| Vendor | Purpose | Notes |
|---|---|---|
| Supabase | Database & Auth | Managed database and auth platform |
| Railway.app | API Hosting | Managed application hosting |
| Vercel | Frontend | Managed frontend hosting |
| DodoPayments | Payments | Payment processing provider |
| AWS | Infrastructure | Cloud infrastructure provider |
| OpenAI / Anthropic / Google | Optional AI features | Used only when AI features are enabled |
Incidents
You'll be notified within 24 hours if your data is accessed by unauthorized parties. Incident response follows detection → containment → notification → root cause analysis.
Questions
- Security issues: security@opscurb.com
- General support: support@opscurb.com
- Plain-English trust summary: Data Handling
Last Updated: 2026-03-12