// loading
What we run, how we run it, and where we are on the road to enterprise certification. We will never claim a badge we have not earned.
all endpoints · HSTS on tryopsticket.com
via Supabase managed Postgres + object storage
enforced on every customer-data table
standard TOTP / passkey · quarterly access reviews
DDoS, WAF, bot management · DB not publicly reachable
critical within 72 hours · high-severity within 7 days
parent firm IT Custom Solution LLC · submitted 2026
pursuing schedule award · no GSA Schedule today
controls map drafting · 2026 H2
scoping · no audit currently in progress
"OpsTicket is operated by IT Custom Solution LLC. We are not currently audited under any AICPA SSAE-18 framework, and we do not represent that an audit is in progress. We will be the first to publish the report when we hold one; we do not yet."
TLS 1.2+ in transit on every endpoint, with HSTS on the marketing domain. AES-256 at rest in our Supabase managed Postgres and in object storage. Customer-managed keys (BYOK / HSM) are not currently offered.
Production access is restricted to a named on-call rotation, authenticated with MFA. Database is not publicly reachable; application reaches it through Supabase service roles. Quarterly access reviews remove anyone no longer in the rotation.
Every customer-data table in our Supabase Postgres carries an RLS policy that scopes reads and writes to the owning tenant. RLS is enforced at the database, not just at the application; an application-level bug cannot leak data across tenants.
Production actions, configuration changes, and administrative reads of customer data are logged centrally with timestamps. Sentry captures application errors with stack traces; PostHog captures product events. We retain operational logs on a rolling basis per our retention policy.
Documented runbook. We notify the data controller within 72 hours of confirming any material incident, per the obligations in our DPA. Post-mortems are written for any P0 and shared with affected customers.
Coordinated disclosure policy: email [email protected]. Triage within 2 business days. No legal action against good-faith research. Optional public credit for reporters who consent.
Renovate keeps lock files current. Dependabot scans on every PR. Our 5 product repositories currently report 0 production npm vulnerabilities (enforced via npm overrides for postcss / picomatch).
We use Cloudflare (edge / DDoS / WAF), Railway (compute), Supabase (managed Postgres), Stripe (payments), Anthropic (assessment scoring), SendGrid (transactional email), PostHog (product analytics), Sentry (errors), and Crisp (support chat). Full list with addresses and roles at /subprocessors.
GDPR (EU), UK GDPR, and CCPA / CPRA (California). Standard contractual clauses available for EEA-to-US transfers. FERPA controls apply when we serve educational customers.
72-hour controller notification on confirmed material incidents (per DPA Section 7). Direct line to a security inbox staffed by a human, not a queue.
Coordinated disclosure. 2 business day triage. No legal action against good-faith research. Send detailed reports, including a pen-test summary or architecture-review request, to the security inbox below.