Security

1. Overview

ProdOps HQ is a developer productivity platform that helps engineering teams track performance metrics and health scores. Because we integrate with source code repositories, HR systems, and other sensitive data sources, security is foundational to how we build and operate our platform.

This page describes the measures we take to protect your data. For details on what data we collect and how we use it, see our Privacy Policy.

2. Infrastructure & Hosting

ProdOps HQ is hosted on industry-standard cloud infrastructure with the following protections:

• Encrypted databases: All data at rest is stored in encrypted databases using AES-256 encryption.
• Network isolation: Production systems run in private network segments with strict firewall rules and no direct public access to databases or internal services.
• Backup & recovery: Automated backups run on a regular schedule, and disaster recovery procedures are maintained to minimise data loss and restore service continuity.
• Environment separation: Development, staging, and production environments are fully isolated.

3. Data Encryption

• In transit: All data transmitted between your browser and ProdOps HQ is encrypted via TLS (HTTPS). API communications with third-party integrations also use TLS.
• At rest: Sensitive credentials, integration tokens, and API keys are encrypted at rest using industry-standard encryption. Database storage is encrypted at the volume level.

4. Authentication & Access Control

ProdOps HQ employs multiple layers of authentication and authorization:

• Session-based authentication: User sessions are managed via secure, encrypted cookies with expiration controls and CSRF protection. All session data is transmitted over HTTPS only.
• Role-based access control: Users are assigned roles within workspaces that determine their level of access to data and features.
• Policy-based authorization: Every API request is authorized against fine-grained policies that verify the user has permission to access the requested resource.
• Principle of least privilege: Internal systems and integrations are granted only the minimum permissions required to function.

5. Data Isolation

ProdOps HQ is a multi-tenant platform with strict workspace isolation:

• Workspace-scoped data: All queries are scoped to the authenticated user's workspace. There is no mechanism for one workspace to access another workspace's data.
• Membership-based access: Users access workspaces exclusively through their memberships. Workspace context is derived from the authenticated membership, not user-supplied parameters.
• Isolation by design: Data isolation is enforced at the application layer across every API endpoint, not just at the database level.

6. Source Code Handling

We understand that source code is among the most sensitive assets an engineering team has. ProdOps HQ handles code content with care:

• Transient processing only: When we access source code from connected repositories, it is processed in memory to generate fingerprints and classify development activity. Code content is not permanently stored.
• No code retention: After processing, code content is discarded. We store only derived metadata such as commit counts, classification labels, and activity metrics.
• Minimal scope: We request only the repository permissions necessary to collect the activity data that powers your metrics.

7. AI & Automated Processing

ProdOps HQ uses AI-based techniques to classify development activity and improve metric accuracy:

• Transient data processing: Data sent to AI providers is used solely for classification. Providers may retain data for a limited period for safety monitoring, after which it is deleted. We remove uploaded files from provider systems promptly after processing is complete.
• No model training: Under our providers' current API terms, your data is not used to train their AI models.
• Minimal data sent: Only commit metadata (such as commit messages, file names, and line counts) is sent for classification. Source code content is never transmitted to AI providers.
• Confidentiality: All data sent to processing providers is governed by their API terms of service, which include confidentiality and data protection provisions.

For details on which providers process data on our behalf, see our Sub-Processors page.

8. Third-Party Integrations

ProdOps HQ connects to third-party services via their official APIs using industry-standard OAuth flows:

• OAuth-based authorization: Integrations use OAuth tokens with scoped permissions rather than broad-access credentials.
• Revocable at any time: You can disconnect any integration from your ProdOps HQ workspace or directly from the connected platform's settings.
• Credential security: Integration tokens are encrypted at rest and are never exposed in logs or API responses.

For a complete list of third-party sub-processors, see our Sub-Processors page.

9. Application Security

• Input validation: All user input is validated and sanitized to prevent injection attacks (SQL injection, XSS, and other OWASP Top 10 vulnerabilities).
• Dependency management: We regularly update dependencies and monitor for known security vulnerabilities in third-party libraries.
• Secure development practices: Code changes go through peer review before deployment. Security considerations are part of our development workflow.

10. Data Retention & Deletion

• Active accounts: Data is retained for as long as your account is active and your workspace exists.
• Integration disconnection: When you disconnect a third-party integration, connection credentials are revoked. Previously collected activity data remains in your workspace to preserve your metrics history.
• Account deletion: If you delete your account, all associated data is permanently removed within 30 days.

11. Incident Response

In the event of a security incident that affects your data:

• We will notify affected customers without undue delay, providing details of the incident, its scope, and the steps we are taking to resolve it.
• We conduct post-incident reviews to identify root causes and implement measures to prevent recurrence.

12. Reporting Security Concerns

If you discover a security vulnerability or have concerns about the security of ProdOps HQ, please contact us at:

We take all security reports seriously and will respond promptly.