← Back to Home

Security & Data Protection

Your data security isn't just a feature β€” it's a fundamental design principle of OpsChaos Scanner.

πŸ›‘οΈ Data Non-Disclosure Guarantee

We guarantee that your operational data will never be disclosed, sold, shared, or used for any purpose beyond generating your chaos report.

  • βœ“Your data is NEVER sold to third parties β€” under any circumstances.
  • βœ“Your data is NEVER shared with other customers, partners, or affiliates.
  • βœ“Your data is NEVER used for marketing, advertising, or profiling.
  • βœ“Your data is NEVER used to train AI/ML models.
  • βœ“Your data is NEVER retained beyond the 72-hour auto-deletion window.
  • βœ“Each scan session is completely isolated β€” no data crosses session boundaries.

Encryption Architecture

  • β€’AES-256-GCM application-level encryption β€” OAuth tokens and PKCE verifiers are encrypted before storage.
  • β€’TLS 1.3 in transit β€” all data transmitted between your browser, our servers, and third-party APIs is encrypted.
  • β€’PKCE (Proof Key for Code Exchange) β€” OAuth authorization codes are protected against interception attacks.
  • β€’Encryption keys are environment-specific and never committed to source control.

Access Control

  • β€’Read-only OAuth scopes exclusively β€” we can never modify, delete, or send data in your tools.
  • β€’Minimum-privilege principle β€” we request only the exact permissions needed for analysis.
  • β€’No admin access required β€” individual user-level OAuth grants are sufficient.
  • β€’You control which tools to connect β€” skip any tool you're not comfortable sharing.

Token Lifecycle

  • β€’OAuth tokens are generated when you approve access to each tool.
  • β€’Tokens are immediately encrypted with AES-256-GCM and stored in the database.
  • β€’During analysis, tokens are decrypted in-memory only for the duration of API calls.
  • β€’Immediately after analysis completes, all tokens are permanently wiped from the database.
  • β€’We never store refresh tokens β€” one-time access only, no persistent access to your accounts.

Data Lifecycle

  • β€’Session created β†’ 72-hour countdown begins.
  • β€’Analysis runs β†’ only aggregated counts are stored (never raw content).
  • β€’Tokens wiped β†’ immediately after analysis (0 persistence window).
  • β€’Report available β†’ viewable until 72-hour expiration.
  • β€’Auto-deletion β†’ background process purges all session data at 72 hours.
  • β€’Manual deletion β†’ "Delete My Data" button for instant, irrecoverable removal at any time.

LLM Data Handling

  • β€’Aggregated metrics (counts, ratios, durations) are sent to OpenAI API for analysis using the configured model.
  • β€’No raw content (emails, messages, files) is ever sent to the LLM.
  • β€’OpenAI does not use API data for model training (per their API data usage policy).
  • β€’LLM responses are not cached or reused across sessions.

Infrastructure Security

  • β€’Application hosted on Railway with automated deployments.
  • β€’PostgreSQL database with encrypted connections (SSL required).
  • β€’No public database access β€” database is only accessible from the application server.
  • β€’Environment variables for all secrets (API keys, encryption keys, OAuth credentials).
  • β€’Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy.

Compliance Posture

  • β€’GDPR-aligned data practices: consent-based processing, right to deletion, data minimization.
  • β€’No PII stored β€” only aggregated operational metrics.
  • β€’Data processing agreement available upon request for enterprise customers.
  • β€’Regular security reviews and dependency audits.

Security Questions?

For security-related inquiries or to report a vulnerability, contact security@opschaos.com.

Privacy PolicyΒ·SecurityΒ·Terms of Service