🚀 New: Real-time alerting & custom thresholds now available — See what's new

Trust Center

Everything your security and compliance team needs to evaluate Opslytica. Download pre-filled questionnaires, review our security posture, and access compliance documentation.

Downloads

Security & Compliance Documents

Pre-filled questionnaires, agreements, and audit reports for your vendor evaluation.

SIG Lite Questionnaire

Pre-filled Shared Information Gathering questionnaire. 200+ security questions answered.

Download SIG Lite (.xlsx)

CAIQ Questionnaire

Cloud Security Alliance Consensus Assessments Initiative Questionnaire v4.

Download CAIQ (.xlsx)

SOC 2 Type II Report

Independent audit of security controls. Available under NDA.

Request Report

BAA Template

HIPAA Business Associate Agreement for covered entities.

Download BAA (.docx)

DPA Template

GDPR Data Processing Agreement for EU data subjects.

Download DPA (.docx)

Penetration Test Summary

Annual third-party penetration test results. Available under NDA.

Request Summary
Assessment

Security Assessment Overview

Detailed answers organized by category for your security review.

Data Classification & PHI Handling
  • Opslytica receives only de-identified operational metrics — never raw Protected Health Information (PHI).
  • The optional Event Gateway runs in your environment and applies configurable de-identification (hashing, removal, generalization) before any data leaves your network.
  • Operational metrics include: cycle times, SLA compliance rates, case counts, throughput — no patient names, MRNs, DOBs, or clinical data.
Encryption & Data Protection
  • In Transit: All API communication uses TLS 1.3. HSTS enforced. Certificate pinning supported by SDKs.
  • At Rest: AES-256 encryption for all stored data. Database Transparent Data Encryption (TDE) enabled.
  • API Keys: SHA-256 hashed server-side. Only key prefix stored for lookup. Raw keys never persisted.
  • Secrets Management: Azure Key Vault for all production secrets. No secrets in source code or config files.
Access Controls & Authentication
  • Multi-tenant isolation: All queries scoped by OrgId at the database layer. No cross-tenant data access possible.
  • Role-based access: Admin, Manager, Viewer roles with principle of least privilege.
  • API authentication: Scoped API keys (Ingest, Query, Admin) with configurable expiration.
  • Session management: Secure HTTP-only cookies, configurable session timeout, concurrent session limits.
Infrastructure & Hosting
  • Hosted on Microsoft Azure with geo-redundant deployment options.
  • Azure App Service with managed TLS certificates.
  • Azure SQL Database with automatic backups (35-day retention, geo-replication).
  • No customer data stored on developer workstations or in CI/CD pipelines.
Network Security
  • Event Gateway requires only outbound HTTPS (port 443). No inbound firewall rules needed.
  • API rate limiting: configurable per API key (default 1000 events/minute).
  • DDoS protection via Azure Front Door.
  • WAF (Web Application Firewall) rules for OWASP Top 10 protection.
Business Continuity & Disaster Recovery
  • 99.9% uptime SLA for Professional and Enterprise plans.
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.
  • Automated daily backups with 35-day retention.
  • Geo-redundant failover for Enterprise customers.
  • Status page: status.opslytica.com for real-time incident communication.
Compliance & Certifications
  • SOC 2 Type II: Audited annually by independent third party. Report available under NDA.
  • HIPAA: Business Associate Agreement (BAA) available. Event Gateway ensures PHI never reaches our servers.
  • GDPR: Data Processing Agreement (DPA) available. Data residency controls. Right to erasure supported.
  • Annual penetration testing by third-party security firm. Summary available under NDA.
Incident Response
  • Documented incident response plan with defined severity levels.
  • Customer notification within 72 hours of confirmed breach (GDPR) or as required by BAA.
  • Dedicated security contact: security@opslytica.com
  • Bug bounty program for responsible disclosure.
Vendor & Subprocessor Management
  • Microsoft Azure: Cloud infrastructure and database hosting
  • SendGrid: Transactional email delivery (no PHI in emails)
  • Stripe: Payment processing (PCI DSS Level 1 compliant)
  • No customer operational data shared with subprocessors beyond hosting requirements.
Data Retention & Deletion
  • Configurable data retention per pricing tier (7 days Free → 365 days Enterprise).
  • Full data export available in JSON/CSV format on request.
  • Complete data deletion within 30 days of contract termination.
  • Audit logs retained for 90 days minimum.
FAQ

Common Security Questions

Quick answers to the questions we hear most during vendor evaluations.

Does Opslytica store PHI?

No. Opslytica only receives de-identified operational metrics such as cycle times, case counts, and SLA compliance rates. The optional Event Gateway runs inside your environment and applies configurable de-identification before any data leaves your network. No patient names, MRNs, DOBs, or clinical data ever reach our servers.

Can we run everything on-premises?

The Event Gateway runs in your environment and handles all data de-identification locally. The SaaS analytics platform is cloud-hosted on Microsoft Azure, but Enterprise customers can discuss dedicated deployment options with our engineering team.

How do we get the SOC 2 report?

Contact us at security@opslytica.com or submit a request through our contact form. The SOC 2 Type II report is available under mutual NDA. We typically fulfill requests within one business day.

What happens to our data if we cancel?

You will receive a full data export in JSON or CSV format. Complete data deletion is performed within 30 days of contract termination, and written confirmation of deletion is available upon request.

Have questions for your security review?

Our security team is available to discuss your requirements, answer questionnaires, and provide documentation for your vendor evaluation.

Contact Security Team Download All Documents

We use cookies to improve your experience and analyze site traffic. By continuing, you agree to our Privacy Policy.

Hi there! 👋

How can we help you today?

Our team typically responds within a few hours during business hours.

Send us a message