Security at Operalta
Row-Level Security on every table. Role-Based Access Control on every action. Encryption at every layer. Security is a foundation, not an afterthought.
Row-Level Security (RLS)
Every database query is enforced at the PostgreSQL level. RLS policies guarantee that users can only access data belonging to their company — no application-layer shortcut can bypass it.
- ✓RLS enabled on every table — no exceptions
- ✓Policies enforce company_id scoping on SELECT, INSERT, UPDATE, DELETE
- ✓Even admin tools go through RLS unless explicitly elevated
- ✓Service-client bypass only for background jobs with pre-validated UUIDs
Role-Based Access Control (RBAC)
Granular permissions per role. Each user sees and can do only what their role allows — from read-only observers to full-access founders.
- ✓Roles: founder, advisor, investor, observer — each with distinct permissions
- ✓Write policies use SECURITY DEFINER to prevent RLS recursion
- ✓Role checks enforced at both API and database layers
- ✓Invitation system with role assignment at onboarding
Encryption
All data is encrypted in transit and at rest. Sensitive fields benefit from an additional layer of application-level encryption.
- ✓AES-256 Transparent Data Encryption at rest
- ✓Field-level encryption for sensitive data (pgcrypto)
- ✓Encrypted backups with separate, rotated keys
- ✓HTTPS enforced on all endpoints (TLS 1.2+)
Tenant Isolation
Strict tenant isolation ensures your workspace, integrations, and memory are completely separated from every other customer.
- ✓RLS + RBAC enforced at the database level for every query
- ✓No cross-tenant data access — architecturally impossible
- ✓AI agent context scoped to your company only
- ✓Audit logging for administrative actions
AI Agent Security
AI capabilities are tightly sandboxed. Sensitive operations require explicit human approval before execution.
- ✓Agent actions scoped by RLS — same isolation as user queries
- ✓File access restricted to scoped directories
- ✓SSRF protection with IP validation at connection time
- ✓Shell commands run with minimal environment — no secrets exposed
Privacy & Data Control
Your conversations, files, and business data are never used to train AI models. You control your data completely.
- ✓Your data is never sold or used for third-party model training
- ✓AI providers bound by DPAs — no data retention after processing
- ✓Data export available in JSON/CSV at any time
- ✓Full deletion within 30 days of account closure
Compliance & Certifications
Comprehensive audit of security controls, availability, and confidentiality.
Full compliance with EU data protection regulation. DPAs in place with all sub-processors.
California Consumer Privacy Act compliance for US-based customers.
Database-Level Enforcement
- ✓RLS policies on every table — SELECT, INSERT, UPDATE, DELETE
- ✓RBAC with SECURITY DEFINER functions to prevent policy recursion
- ✓Service-client bypass only after UUID resolution through RLS
- ✓Parameterized queries — SQL injection is structurally impossible
- ✓Zod schema validation on every API route input
- ✓Fail-closed rate limiting on critical routes
Application-Level Security
- ✓Rate limiting on all authentication & API endpoints
- ✓Constant-time OTP comparison to prevent timing attacks
- ✓XSS prevention via React automatic escaping
- ✓CSRF protection with SameSite cookies
- ✓Dependency scanning and automatic security updates
- ✓Security-focused error handling — no sensitive data in responses
Questions about our security?
We're happy to walk through our security architecture, share compliance documentation, or answer specific questions from your security team.
If you believe you have found a security vulnerability, please report it to security@operalta.com. We commit to acknowledging reports within 48 hours.