%3c/title%3e%3cdefs%3e%3clinearGradient%20id='gCenter'%20x1='0%25'%20y1='0%25'%20x2='100%25'%20y2='100%25'%3e%3cstop%20offset='0%25'%20stop-color='%2300286f'/%3e%3cstop%20offset='100%25'%20stop-color='%231a3d8f'/%3e%3c/linearGradient%3e%3clinearGradient%20id='gTopRight'%20x1='0%25'%20y1='0%25'%20x2='100%25'%20y2='100%25'%3e%3cstop%20offset='0%25'%20stop-color='%232d4f9e'/%3e%3cstop%20offset='100%25'%20stop-color='%234a7bd0'/%3e%3c/linearGradient%3e%3clinearGradient%20id='gBottomLeft'%20x1='0%25'%20y1='0%25'%20x2='100%25'%20y2='100%25'%3e%3cstop%20offset='0%25'%20stop-color='%234a7bd0'/%3e%3cstop%20offset='100%25'%20stop-color='%236a93de'/%3e%3c/linearGradient%3e%3clinearGradient%20id='gLine'%20x1='0%25'%20y1='0%25'%20x2='100%25'%20y2='100%25'%3e%3cstop%20offset='0%25'%20stop-color='%232d4f9e'%20stop-opacity='0.55'/%3e%3cstop%20offset='100%25'%20stop-color='%234a7bd0'%20stop-opacity='0.55'/%3e%3c/linearGradient%3e%3c/defs%3e%3c!--%20Connecting%20lines%20(drawn%20first,%20sit%20behind%20circles)%20--%3e%3cg%20stroke-linecap='round'%20fill='none'%3e%3cline%20x1='235.17'%20y1='210.95'%20x2='634.29'%20y2='630.20'%20stroke='url(%23gLine)'%20stroke-width='6'/%3e%3cline%20x1='592.86'%20y1='201.65'%20x2='187.17'%20y2='543.89'%20stroke='url(%23gLine)'%20stroke-width='6'/%3e%3c/g%3e%3c!--%20Five%20circles,%20structure%20preserved%20exactly%20from%20original%20--%3e%3ccircle%20cx='195.33'%20cy='169.10'%20r='57.78'%20fill='%238fb1e8'/%3e%3ccircle%20cx='124.16'%20cy='597.05'%20r='82.44'%20fill='url(%23gBottomLeft)'/%3e%3ccircle%20cx='693.51'%20cy='692.41'%20r='85.89'%20fill='%2300286f'/%3e%3ccircle%20cx='673.67'%20cy='133.47'%20r='105.73'%20fill='url(%23gTopRight)'/%3e%3ccircle%20cx='400'%20cy='400'%20r='220.01'%20fill='url(%23gCenter)'/%3e%3c/svg%3e)
Hosting & infrastructure
OpSyn runs on Microsoft Azure with infrastructure-as-code, automated deployment, and isolated tenants. UK South is the default region; EU residency is available on request.
Hosting
Azure Container Apps in UK South, with horizontally-scalable instances behind a managed ingress.
- →Azure Container Apps
- →Bicep infrastructure-as-code
- →UK South default; EU on request
- →Per-tenant data isolation
Database
PostgreSQL on Azure Flexible Server with automated backups, point-in-time recovery, and encryption at rest.
- →Azure PostgreSQL Flexible Server
- →Encryption at rest (Azure-managed keys)
- →Daily backups, 7-day PITR
- →Read-only credentials for reporting
Network
TLS terminates at the managed ingress; internal traffic is private. Public endpoints are rate-limited.
- →TLS 1.2+ enforced
- →Custom domain with managed certs
- →Rate-limited login & API
- →Webhook signing on outbound events
Authentication & access control
Sign-in is session-based with TOTP 2FA. Authorisation is fine-grained: every permission resolves on action, access scope, and entity — not just role membership.
Authentication
HTTP-only session cookies, TOTP 2FA via authenticator apps, email verification on signup, and rate-limited login.
- →TOTP 2FA (RFC 6238)
- →Email verification
- →Password length 12+ with complexity
- →Login throttling & lockout
Authorisation (RBAC)
Two tiers — global and organisation — with feature flags per user per org. Permissions resolve as action × access × entity.
- →Global & organisation roles
- →Action × access × entity
- →Per-module feature flags
- →Viewer / contributor / admin presets
Sessions
Sessions are server-side and revocable. Customer admins can terminate any session from the user admin screen.
- →Server-side session store
- →Revoke from admin UI
- →Idle and absolute timeout
- →IP and device fingerprint logged
Audit, monitoring & response
Every write is logged. Every error is observed. Every incident is communicated to affected tenants on a defined timeline.
Audit logging
Each write is traced to a user, timestamp, IP, and previous-state diff. Immutable for the tenant retention period.
- →User & timestamp on every write
- →Previous-state diff captured
- →IP and session ID logged
- →Exportable per organisation
Application monitoring
Sentry for error monitoring; Azure Application Insights for performance, availability, and dependency health.
- →Sentry error monitoring
- →Azure Application Insights
- →Synthetic uptime checks
- →Alerting to on-call rotation
Incident response
On-call rotation, defined severity ladder, and 72-hour customer notification for confirmed personal-data incidents.
- →Defined SEV ladder
- →On-call rotation
- →Customer comms within 72h (Art. 33)
- →Post-incident review on every SEV-1
Vulnerability management & compliance
We patch quickly, review regularly, and welcome reports from the security community.
Dependency hygiene
Automated dependency scanning with same-day patching of critical advisories. Production builds reproducible from a pinned manifest.
- →Dependabot / Renovate
- →Same-day critical patching
- →Reproducible production builds
- →Image SBOMs available on request
Reviews & testing
Code review on every change, dedicated security review on changes touching auth or data export, and an annual third-party penetration test.
- →Mandatory code review
- →Auth-path security review
- →Annual external pen test
- →Static analysis in CI
Compliance posture
GDPR-compliant by design. SOC2-aligned controls in place; formal certification on the roadmap. ISO 27001 under evaluation.
- →GDPR-compliant (see /gdpr)
- →SOC2-aligned controls
- →Records of processing activities
- →DPA available on request
Reporting a vulnerability
We welcome responsible-disclosure reports from security researchers and customers alike. Email us with reproduction steps and we'll acknowledge within one business day, with a triage decision within five.
We do not run a paid bounty programme today, but we credit reporters in release notes where they are happy to be named.