OpsCurbBack to Home
Dashboard
legal

Security

Security policies and practices

5 min read
Updated 2026-02-24

Security Policy

🔒 Our Commitment to Security

At OpsCurb, security is our top priority. We understand that you're trusting us with access to your AWS infrastructure, and we take that responsibility seriously.

Security Principles

1. Read-Only Access

  • OpsCurb never modifies your AWS resources
  • All IAM permissions are strictly read-only
  • We only analyze and report - you maintain full control

2. Zero Data Access

  • We cannot read your S3 object contents
  • We cannot access your database data
  • We only read metadata and configuration

3. Cross-Account Security

  • External ID protection against confused deputy attacks
  • Least privilege IAM roles
  • Time-limited session tokens

4. Data Encryption

  • All data encrypted at rest using AES-256
  • All data encrypted in transit using TLS 1.3
  • Database encryption via Supabase (PostgreSQL with encryption)
  • AWS credentials never stored - only IAM role ARNs

What We Access

✅ What We CAN Access

  • EC2 instance metadata (IDs, types, states)
  • EBS volume information (size, attachment status)
  • RDS instance configurations (not database contents)
  • S3 bucket metadata (names, lifecycle policies - not objects)
  • CloudWatch metrics (aggregated data only)
  • Cost Explorer data (billing information)
  • Resource tags and configurations

❌ What We CANNOT Access

  • S3 object contents
  • RDS/Database data
  • EC2 instance data or logs
  • Secrets Manager secrets
  • Parameter Store values
  • Any application data

IAM Permissions

Our IAM role requires only these read-only permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "rds:Describe*",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetLifecycleConfiguration",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "ce:GetCostAndUsage",
        "ecr:Describe*",
        "logs:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

See terraform/main.tf for the complete policy.

Data Handling

Data Storage

  • Scan Results: Stored in our secure Supabase database (PostgreSQL)
  • Retention: 90 days for free tier, 1 year for paid tiers
  • Location: US-East (configurable for enterprise)
  • Backups: Daily encrypted backups with 30-day retention

Data Sharing

  • We never sell your data
  • We never share data with third parties
  • Aggregated, anonymized metrics may be used for product improvement
  • You can request data deletion at any time

Data Access

  • Only you can access your scan results
  • Row-Level Security (RLS) enforced at database level
  • Multi-factor authentication required for admin access
  • Audit logs for all data access

Infrastructure Security

Application Security

  • Hosting: Railway.app (SOC 2 Type II certified)
  • Database: Supabase (ISO 27001, SOC 2 Type II)
  • Frontend: Vercel (SOC 2 Type II)
  • Monitoring: CloudWatch, Sentry

Network Security

  • All traffic over HTTPS/TLS 1.3
  • API rate limiting and DDoS protection
  • Web Application Firewall (WAF)
  • Regular security scanning

Authentication

  • Supabase Auth with JWT tokens
  • Password hashing with bcrypt
  • Session management with secure cookies
  • Optional SSO/SAML for enterprise

Compliance

Current Certifications

  • ✅ AWS Well-Architected Framework
  • ✅ GDPR Compliant
  • ✅ CCPA Compliant
  • 🔄 SOC 2 Type II (in progress)

Standards We Follow

  • OWASP Top 10
  • CIS AWS Foundations Benchmark
  • NIST Cybersecurity Framework

Vulnerability Reporting

Responsible Disclosure

If you discover a security vulnerability, please report it to us responsibly:

Email: security@opscurb.com (replace with your actual email)

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (optional)

Our Commitment

  • We'll acknowledge your report within 24 hours
  • We'll provide a detailed response within 72 hours
  • We'll keep you updated on our progress
  • We'll credit you in our security acknowledgments (if desired)

Bug Bounty

  • We currently don't have a formal bug bounty program
  • We appreciate responsible disclosure and may offer rewards on a case-by-case basis

Security Best Practices for Customers

1. Use External ID

Always use a unique External ID when creating the IAM role:

python generate_external_id.py

2. Rotate External IDs Regularly

We recommend rotating External IDs every 90 days for enhanced security.

3. Monitor IAM Role Usage

Use AWS CloudTrail to monitor when our role assumes access to your account.

4. Use Least Privilege

Only grant the permissions specified in our Terraform template - no more.

5. Enable MFA

Enable multi-factor authentication on your OpsCurb account.

Incident Response

Our Process

  1. Detection: Automated monitoring and alerting
  2. Assessment: Security team evaluates severity
  3. Containment: Immediate action to limit impact
  4. Notification: Affected customers notified within 24 hours
  5. Resolution: Root cause analysis and fix
  6. Post-Mortem: Public incident report (if applicable)

Customer Notification

  • Email notification to account owner
  • In-app notification
  • Status page update (status.opscurb.com)

Security Updates

We regularly update our security practices and will notify you of:

  • Critical security patches
  • Changes to data handling
  • New compliance certifications
  • Security incidents (if applicable)

Questions?

If you have security questions or concerns:

Last Updated: 2026-02-24
Version: 1.0