Security Policy

DirectiveOps implements technical and organizational measures to protect the confidentiality, integrity, and availability of the Service and Customer data. This policy summarizes our approach; specific controls may be detailed in our SOC 2 or other compliance documentation when available.

We follow the principle of least privilege. Access to production systems and Customer data is restricted to authorized personnel and is logged. We use strong authentication (e.g., GitHub OAuth for the Service; MFA for internal access where applicable). Tenant data is logically isolated.

Data in transit is protected using TLS. Data at rest is encrypted using industry-standard encryption. We do not store payment card data; payment processing is handled by our payment provider in accordance with PCI DSS. Secrets and credentials are managed securely and rotated as appropriate.

We monitor the Service for security events and anomalies. We maintain incident response procedures and will notify affected Customers of security incidents affecting their data in accordance with our obligations and the Status and Incident Policy.

We assess and patch vulnerabilities in a timely manner. We welcome responsible disclosure; see our Vulnerability Disclosure Policy for how to report security issues.

Security inquiries: security@directiveops.dev. See the Contact and Legal Notice document for our address.