HomeSecurity

Enterprise security. Not bolted on — built in.

Security and compliance are enforced at every layer, from the data store to the API edge. Here's exactly how your data is protected.

SOC 2-compliant architecture GDPR compliant HIPAA-ready
Security architecture

Defense in depth, by default

Every control below is implemented in the platform today — not on a roadmap.

Tenant-isolated data storeScoped queries — no cross-tenant access is possible
SSRF guardBlocks internal IPs, metadata servers & private networks
Compliance gate on every entityChecked before storage — entities and document chunks alike
8-level role-based accessOwner, Admin, Manager, Builder, Developer, Knowledge, Compliance, Analyst
Immutable audit trailAppend-only, never deletable — export-ready for review
Rate limiting on all endpointsAcross the entire 115+ endpoint API surface
Bearer-token authenticationIdentity enforced on every request
PII detection & auto-blockingSensitive data caught and redacted automatically
Data handling

Your data stays yours

Enterprise customers can run Operanix entirely inside their own perimeter — data and model traffic never leave.

Private VPC & on-prem

Deploy in your own cloud or data center on the Enterprise plan.

PII redacted at the source

Sensitive data is stripped before anything is persisted.

Compliance export

Generate regulator-ready evidence from the immutable audit log on demand.

Role-based access · 8 levels
Ownerfull control · billing · tenancyALL
Adminmanage users, agents & policiesHIGH
Managerapprove actions · view analyticsMED
Builderconfigure & deploy agentsMED
DeveloperAPI & webhook accessMED
Knowledgemanage corpus & reviewSCOPED
Complianceaudit, approvals & exportSCOPED
Analystread-only dashboardsREAD
Security FAQ

What security teams ask first

Operanix is built on a SOC 2-compliant architecture — tenant isolation, immutable audit logging, RBAC and rate limiting are all in place. Formal SOC 2 Type II certification is on our roadmap; we're happy to walk your team through our controls under NDA.
In a tenant-isolated data store with scoped queries. Enterprise customers can deploy in their own private VPC or on-prem so data never leaves their environment.
Every knowledge entity and document chunk passes a compliance gate before storage, PII is detected and auto-blocked, and a post-flight compliance check runs on every agent output before it can be sent.
Yes. The audit trail is append-only and never deletable, capturing every action, approval and decision. Compliance export generates regulator-ready evidence on demand.

Bring your security team

We'll walk through our architecture, controls and deployment options in detail.

Book a security review Contact us