Enterprise-grade security built into every layer of the platform.
Certifications and compliance standards
Multiple layers of protection safeguard your data at every level of our infrastructure.
AES-256 encryption for all stored data. Encryption keys are managed through a dedicated key management service with automatic rotation.
TLS 1.3 for all communications. All connections enforce HTTPS with strict transport security and certificate pinning for mobile clients.
VPC isolation, private subnets, WAF protection, and network segmentation ensure complete infrastructure-level separation.
Multi-layer DDoS mitigation with automatic traffic analysis, rate limiting, and geographic filtering at the edge.
Security controls built into every layer of the application stack.
Complete data isolation per organization. Row-level security, separate encryption contexts, and automatic security boundaries prevent any cross-organization data access.
Granular permissions with MFA enforcement. Define custom roles, assign capabilities, and enforce least-privilege access across your organization.
Complete audit trail of all actions. Every login, data access, configuration change, and API call is logged with tamper-proof retention.
Rate limiting, API key authentication, circuit breakers, and request validation protect every endpoint from abuse and misuse.
Opslytica never stores protected health information. Identifiable fields (member IDs, case IDs) are automatically anonymized by your systems before data collection. Your encryption key stays in your infrastructure — we store only irreversible tokens.
Your organization holds the HMAC secret key used for pseudonymization. Opslytica cannot reverse hashed identifiers. Same-input determinism preserves full analytical capability without exposing patient data.
We maintain rigorous compliance standards to meet the requirements of regulated industries.
Annual audits by independent third party. Our SOC 2 Type II report covers security, availability, and confidentiality trust service criteria.
Data processing agreements, right to deletion, data portability. Full GDPR compliance with EU-based data residency options available.
BAA available, PHI safeguards, access controls. Our zero-PHI architecture means identifiable data is pseudonymized before it reaches Opslytica, supplemented by administrative, physical, and technical safeguards required by the HIPAA Security Rule.
Information security management system certified. Our ISMS covers all aspects of information security risk management and controls.
Authorization in progress for government deployment. We are pursuing FedRAMP Moderate authorization for federal agency use.
Compliant payment processing through Stripe. We never store, process, or transmit cardholder data directly on our infrastructure.
Our security team is available to discuss your requirements, answer questions, and provide documentation for your vendor review process.