Security
Architecture
The OpsNGIN agent is a small Go binary that runs on your server with the privileges you grant it. It connects outbound only — over TLS 1.3 — to our control plane. No inbound ports are required.
Data in flight & at rest
All traffic is TLS 1.3 with modern cipher suites. Tenant data at rest is encrypted with AES-256. Keys rotate on a 90-day cycle. Secrets in the skill library are never logged.
Action safety
Every state-changing action runs through a safety classifier and (if TRUST Layer is enabled) a trained human reviewer before it touches your server. Snapshots are taken before destructive operations, so any change is reversible.
Compliance roadmap
We are targeting SOC 2 Type II in Q4 2026. ISO 27001 to follow. The skill library is audit-logged end to end.
Reporting a vulnerability
Found something? Email security@opsngin.com. We respond within 24 hours and credit responsible disclosure.