Enterprise-grade security.
Zero compromises.
Your pipeline data, your customer records, your personal goals — all of it deserves the highest standard of protection. Here is exactly how we deliver that.
Encryption at rest and in transit
All data stored within DecisionOps is encrypted at rest using AES-256 — the same standard used by financial institutions and government agencies. Data in transit is protected using TLS 1.3, ensuring that all communications between your browser, our application, and our infrastructure are fully encrypted.
Encryption keys are managed using a dedicated key management service, with keys rotated regularly and never exposed to application-layer code.
Comprehensive audit trail
Every action taken within DecisionOps is logged with a full audit trail — including automated actions taken by VEKTOR and SENTINEL. Audit logs capture the user or system that performed the action, the timestamp, the affected record, and the change made.
Audit logs are immutable and retained for a minimum of 12 months. On Control plan accounts, logs can be exported to your own SIEM or data warehouse for compliance reporting.
SOC 2 readiness
DecisionOps is on an active SOC 2 Type II readiness programme. Our security controls map to the AICPA Trust Services Criteria, covering security, availability, and confidentiality. We expect to achieve SOC 2 Type II certification within our next audit cycle.
Enterprise customers can request our current security posture documentation, including our security questionnaire responses and control mapping evidence, under NDA.
UK data residency
All customer data is stored on UK-based infrastructure. We do not transfer personal data outside of the UK or EEA without appropriate safeguards in place. Our primary infrastructure runs in the eu-west-2 (London) AWS region.
Sub-processors who handle personal data are listed in our Data Policy and are bound by data processing agreements that ensure equivalent protections. All sub-processors are either UK/EEA-based or operate under the UK IDTA (International Data Transfer Agreement) where applicable.
GDPR compliance
DecisionOps is designed with GDPR compliance at its core, not as an afterthought. We maintain a full Record of Processing Activities (ROPA), appoint a Data Protection Officer contact, and process personal data only on lawful legal bases.
Users have the right to access, rectify, erase, restrict processing, and export their personal data. Requests can be submitted via email to ops@decisionopshq.com or through the account settings panel. We respond to all data subject requests within 30 days, in line with UK GDPR obligations.
Role-based access control
Access to data within DecisionOps is controlled through a granular role-based access control (RBAC) system. Administrators can assign roles at the account, team, and record level — ensuring that each user sees only the data they need to do their job.
All access is governed by the principle of least privilege. Sensitive configuration changes — such as modifying SENTINEL rules or exporting customer data — require elevated permissions that must be explicitly granted by an administrator.
Security questions or concerns?
If you have questions about our security practices, want to report a vulnerability, or need our security documentation for compliance purposes, please get in touch.