Security at Operative
We protect your data with the same rigor we'd want for our own. SOC 2 certified, regularly audited, and built with security-first principles.
SOC 2 Type II
Annual audit of security, availability, and confidentiality controls
Last audit: November 2025
Auditor: Deloitte
ISO 27001
Information security management system certification
Last audit: October 2025
Auditor: BSI
GDPR Compliant
European data protection regulation compliance
Last audit: Ongoing
Auditor: Internal + DPO
HIPAA Eligible
BAA available for healthcare customers
Last audit: August 2025
Auditor: Coalfire
Security Practices
Security isn't a feature we added on top—it's foundational to how we build and operate.
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database encryption keys are managed through AWS KMS with automatic rotation.
Infrastructure
Hosted on AWS with multi-region redundancy. VPC isolation, private subnets, and WAF protection. 99.99% uptime SLA for enterprise customers.
Access Control
Role-based access control (RBAC) with principle of least privilege. SSO integration with SAML 2.0 and OIDC. Mandatory MFA for all employees.
Monitoring
24/7 security monitoring with automated threat detection. Comprehensive audit logging with 1-year retention. Real-time alerting for anomalies.
Personnel
Background checks for all employees. Annual security training and phishing simulations. Strict NDA and confidentiality agreements.
Vendor Management
Rigorous third-party security assessments. All vendors must meet SOC 2 or equivalent standards. Annual vendor security reviews.
How We Handle Your Data
We take a minimalist approach to data collection—we only collect what's necessary to provide our services. Here's exactly what happens with different types of data:
Agent Conversation Data
- • Encrypted at rest and in transit
- • Retained for 12 months by default (configurable)
- • Never used to train AI models
- • Deletable on request within 30 days
Model Provider Data
- • We use enterprise API agreements with OpenAI, Anthropic, etc.
- • Your data is never used for model training
- • Zero data retention by model providers
- • Prompts are not logged by providers
Customer PII
- • PII detection and automatic redaction available
- • Field-level encryption for sensitive data
- • Tokenization for payment and identity data
- • DPA available for enterprise customers
Penetration Testing
We conduct regular third-party penetration tests and share results with customers. All findings are remediated within 30 days (critical) or 90 days (other).
Full application and infrastructure
3 medium, 7 low - all remediated
API and authentication systems
1 medium, 4 low - all remediated
Full application and infrastructure
2 medium, 5 low - all remediated
Full penetration test reports available under NDA for enterprise customers.
Incident Response
We have a documented incident response plan and dedicated security team.
Initial response time
Customer notification SLA
Security team coverage
Data breaches to date
Security Contact: For security concerns or to report vulnerabilities, contact security@operative.ai
Bug Bounty: We maintain a private bug bounty program. Responsible disclosure is rewarded with bounties up to $10,000.
Security Documentation
Request access to our detailed security documentation for your compliance reviews.
SOC 2 Type II Report
Security Whitepaper
Penetration Test Summary
Data Processing Agreement
Questions about security?
Our security team is happy to discuss our practices, complete security questionnaires, or schedule a call to address your specific requirements.