Enterprise Privacy & Data Policy
At OptimaOS, we recognize that our enterprise clients entrust us with sensitive site, vendor, visitor, and operational data. This policy details our commitment to data privacy, logical isolation, and cryptographic security across OCI infrastructure and application layouts.
1. Client Data Isolation & Multi-Tenancy
All client data is strictly segregated. We enforce strict logical partition controls:
- PostgreSQL Row-Level Security (RLS): Every database table containing tenant operational data is protected by native RLS policies. Queries are filtered at the connection level by your enterprise scope, eliminating any risk of cross-tenant exposure.
- Database Logical Scope: No shared memory or query contexts span across different clients.
2. Cryptographic Protection & Encryption
We deploy standard encryption frameworks at every layer of the infrastructure:
- Host Storage Protection (OCI KMS): Host volumes and databases run on Oracle Cloud Infrastructure (OCI) encrypted storage. Volume encryption keys are managed through HSM-backed OCI KMS Vaults, safeguarding storage at rest.
- Application-Layer Envelope Encryption: Sensitive client profiles, single sign-on secrets, and visitor metadata are encrypted using AES-256-GCM in the application layer before being saved to storage.
- Location-Isolated Cryptography: High-security facilities can provision independent, wrapped keys. Data collected within these locations is cryptographically isolated from the parent enterprise key.
- Transit Encryption: All public endpoints enforce TLS 1.3 transit encryption (HTTPS/WSS) with Strict Transport Security (HSTS) and SameSite session cookie protection.
3. Vetted Open-Source Core
OptimaOS is built on a fully transparent, open-source platform stack (Linux, Node.js, and PostgreSQL). Running on open-source foundations ensures that our security mechanisms are peer-reviewed, free of hidden backdoors, and easily auditable by your security teams.
4. Key Rotation & Lifecycle Management
Enterprise administrators can rotate encryption keys in-place through our administration console. Rotating a key generates a new version, deactivates older versions for write operations, and dynamically migrates historical database rows with zero downtime.