Skip to main content
// security · evidence before claim

Current, bounded posture.

This page avoids controls, coverage, timelines, and guarantees that have not been independently verified from the deployed system.

Transport

Production traffic uses HTTPS. Exact protocol, cipher, and certificate posture should be verified from the live endpoint before procurement reliance.

Application access

Authenticated routes enforce application authorization. No claim is made that every database table has an identical policy or that application bugs cannot expose data.

Hosting

OpsTicket uses Cloudflare, Railway, Supabase, Stripe, SendGrid, PostHog, Sentry, and Google or GitHub sign-in where configured. See the subprocessor page for the current functional list.

Certificates

Verification relies on an active server-issued record and SHA-256 evidence hash. No external chain, public registry, or separate signing system is claimed.

Response commitments

No public patch, incident, disclosure, recovery, or notification deadline applies unless an executed agreement or law requires it.

Assurance

OpsTicket does not represent an external security audit, certification, or service-organization attestation as complete or in progress.