Security at OpLogica.
This page describes how OpLogica approaches security at its current stage, what it protects, and what it does not claim. The company is Oplogica Inc.. This is a transparency statement, not a certification.
The final text is reviewed by a qualified security professional and counsel, and aligned with the practices actually in place, before launch.
Our security principles.
- We protect only what we need to hold, and we limit what we hold.
- We are honest about our security posture and our stage.
- We do not claim certifications or audits we do not have.
- We limit access to information to those who need it.
- We use selected third-party infrastructure and service providers.
- We treat engagement and workflow data as confidential.
- We use fictional data in all public materials.
- We acknowledge that no system is perfectly secure.
- We have a clear path to handle security reports.
- We expect our security practices to mature as the company grows.
- We align our security statement with our Privacy Policy and Terms of Use.
- We would rather disclose a limitation than hide it.
How we think about security
Our philosophy is to minimize what we hold, limit access, use selected third-party infrastructure, treat engagement data as confidential, and be honest about our posture and stage. This follows from our broader values around evidence integrity and honesty.
What we protect
Website-collected information, audit-request and workflow information, engagement data, and communication information, consistent with the Privacy Policy. Audit and engagement data are treated as the most sensitive category.
Securing the website
The website is served over encrypted connections and uses third-party hosting, and collects limited information. We describe only controls that are actually implemented.
Protecting audit request data
Information submitted to request an audit is used to assess and deliver the audit, is handled as private, is access-limited, and is not shared publicly, consistent with the Privacy Policy and Terms. Public materials use fictional data only.
Protecting engagement data
During a paid engagement, workflow and decision data is treated as confidential, access-limited, used for the engagement, and handled with care, with formal confidentiality and data terms set in the engagement agreement. This is the most sensitive category.
Limiting access
Access to information is limited to those who need it to respond to inquiries or deliver engagements, and we keep the number of people with access small, appropriate to an early-stage team.
Infrastructure and hosting
We use selected third-party infrastructure and hosting providers, which maintain their own security practices, and we rely on those providers for underlying infrastructure security. We do not claim those providers’ certifications as our own.
Third-party services
We use third-party services for hosting, payment processing, and communication. Limited information may be processed by them for those purposes, and these providers maintain their own security and privacy practices, consistent with the Privacy Policy.
How we handle data
We collect only what we need, limit access, retain information only as long as reasonably needed, and use fictional data in public materials, consistent with the Privacy Policy retention approach.
Confidentiality
Engagement and workflow information is treated as confidential, used for the engagement, and formal confidentiality terms may be included in the applicable engagement agreement, consistent with the Privacy Policy and Terms of Use. This is distinct from website privacy.
If something goes wrong
We take security reports seriously. We would investigate a suspected incident promptly, take reasonable steps to contain and address it, and notify affected parties as appropriate and as required by law. As an early-stage company, our incident response is appropriate to our size and will mature.
Reporting a security issue
We invite security researchers and users to report suspected vulnerabilities or issues through our security contact below. Please act in good faith and give us reasonable time to respond. We appreciate responsible disclosure. We do not claim a formal bug-bounty program.
Where we are as a company.
OpLogica is founder-led and early stage. Our security practices are appropriate to that stage and will mature as we grow, and we choose to describe our real practices rather than claim certifications or programs we do not have. That honesty is the basis for trust. You can inspect related public materials elsewhere, including the published methodology, the sample report on fictional data, and the public Verify Community Edition.
Where our security is heading.
As we grow, we expect to take steps such as these. They are directions, not commitments or dates, and they do not exist today.
- Formalizing access controls as the team grows.
- Considering independent assessments when appropriate.
- Pursuing recognized practices or certifications when appropriate.
Security, privacy, and our terms together.
This security statement complements the Privacy Policy, which describes what information is collected and how it is used, and is provided alongside the Terms of Use, which govern use of the website. It is informational and not a warranty.
Security questions and reports.
For security questions or to report an issue, reach us at security@oplogica.com. For general inquiries, see the Contact page.
Security questions, answered.
Do you have SOC 2?
No. We do not claim SOC 2. We are early stage and describe our real practices honestly.
Do you have ISO 27001?
No. We do not claim ISO 27001.
Have you had a third-party security audit?
We do not claim a formal third-party security audit unless it is true and current. We are honest about our stage.
Have you done penetration testing?
We do not claim penetration testing unless it is true and current.
Do you guarantee my data is completely secure?
No. We use reasonable practices, but no system is perfectly secure, and we do not guarantee absolute security.
How do you protect audit request data?
It is used to assess and deliver the audit, handled as private, access-limited, and not shared publicly. Public materials use fictional data only.
How do you protect engagement data?
During an engagement, workflow and decision data is treated as confidential, access-limited, used for the engagement, with formal terms set in the agreement.
Who has access to my information?
Access is limited to those who need it to respond to inquiries or deliver engagements, and we keep that group small.
What infrastructure do you use?
Reputable third-party infrastructure and hosting providers, which maintain their own security practices. We rely on them for underlying infrastructure security.
Do you hold your providers’ certifications?
No. Our providers maintain their own certifications. We do not claim those as our own.
What third-party services do you use?
Services for hosting, payment processing, and communication, which process limited information for those purposes and maintain their own practices.
How long do you keep my data?
Only as long as reasonably needed for the purpose it was collected, or as required by law, consistent with our Privacy Policy.
Is the website encrypted?
The website is served over encrypted connections, and collects limited information.
How would you handle a security incident?
We would investigate promptly, take reasonable steps to contain and address it, and notify affected parties as appropriate and as required by law. Our response is appropriate to our stage and will mature.
How do I report a security issue?
Through the security contact on this page. We appreciate responsible disclosure and ask reporters to act in good faith and give us reasonable time to respond.
Do you have a bug bounty?
We do not claim a formal bug-bounty program unless one exists. We welcome responsible reports through our security contact.
Are you compliant with a specific security framework?
We do not claim compliance with a specific framework unless it is explicitly stated and current. For specific requirements, contact us and consult your own advisors.
Do you guarantee uptime?
No. We do not guarantee uptime or continuous availability.
Are your security practices enterprise-grade?
We do not claim our practices are equivalent to enterprise-certified programs. We describe what we actually do and are honest about our stage.
Can we do a vendor security review?
Yes. This page is designed to support standard vendor review, and you can contact us with specific questions.
Can we put a data processing agreement in place?
Formal data and confidentiality terms can be arranged as part of an engagement, confirmed with counsel.
Do you use my data to train models?
We use your information only for the purposes stated in our Privacy Policy. Any use beyond those purposes would require your awareness and, where applicable, consent.
Is my information shared with other customers?
No. Engagement information is confidential and is not shared, and public materials use fictional data only.
What happens to my data after an engagement?
It is retained only as long as reasonably needed and then deleted or anonymized, consistent with the agreement and our Privacy Policy.
Where can I review public materials?
You can read the published methodology and scoring model, explore the sample report on fictional data, and inspect the public Verify Community Edition.
Will your security improve over time?
Yes. Our security practices will mature as the company grows, and we describe our direction honestly without overpromising.
Who do I contact about security?
Use security@oplogica.com, or the Contact page for general inquiries.
Our commitment to security.
OpLogica holds as little as it needs, limits access, treats engagement data as confidential, is honest about being early stage, and welcomes security questions and responsible disclosure. Reach out anytime.