Security Policy

DirectiveOps implements technical and organizational measures to protect the confidentiality, integrity, and availability of the Service and Customer data. This policy summarizes our approach. Enterprise customers may request our current SOC 2 Type II report or other compliance documentation under NDA where available.

We pursue and maintain industry certifications as we scale. When available, we undergo annual SOC 2 Type II audits conducted by an independent third party. Our SOC 2 report covers security, availability, and confidentiality controls relevant to the Service. We may also align with frameworks such as ISO 27001 or CIS controls where appropriate. Current certification status and report availability can be requested at security@directiveops.dev. We will provide a summary or executive overview to Enterprise customers under confidentiality where a full report is not yet published.

We follow the principle of least privilege. Access to production systems and Customer data is restricted to authorized personnel and is logged. We use strong authentication (e.g., GitHub OAuth for the Service; MFA for internal access where applicable). Tenant data is logically isolated. Access reviews are conducted periodically, and access is revoked upon role change or offboarding.

Data in transit is protected using TLS (TLS 1.2 or higher). Data at rest is encrypted using industry-standard encryption (e.g., AES-256). We do not store payment card data; payment processing is handled by our payment provider in accordance with PCI DSS. Secrets and credentials are managed securely, stored in a dedicated secrets manager, and rotated as appropriate. Encryption keys are managed separately from data.

We monitor the Service for security events and anomalies using centralized logging and alerting. We maintain incident response procedures and will notify affected Customers of security incidents affecting their data in accordance with our obligations and the Status and Incident Policy. Our target for initial incident assessment is within one (1) hour of detection; we will provide status updates as we contain and remediate. Post-incident reviews are conducted for significant events to improve our controls.

We assess and patch vulnerabilities in a timely manner. We track dependencies and apply security updates in accordance with risk (e.g., critical and high severity within defined timeframes). We welcome responsible disclosure; see our Vulnerability Disclosure Policy for how to report security issues. We conduct internal security testing and, for Enterprise or as part of our roadmap, engage third parties for penetration testing at least annually; findings are remediated in accordance with risk.

Security inquiries: security@directiveops.dev. See the Contact and Legal Notice document for our address.