ops0 is built for teams that manage production infrastructure. This page covers how we protect your data, credentials, and access.
ops0 never stores long-lived cloud credentials.
| Provider | Method | What ops0 holds |
|---|---|---|
| AWS | IAM Role with cross-account trust | Role ARN only — no access keys |
| GCP | Workload Identity Federation | Service account email + pool config — no key files |
| Azure | Service Principal with federated credentials | Client ID + tenant ID — no client secrets |
| Oracle Cloud | API Key | API key fingerprint + private key (encrypted at rest) |
When ops0 runs a plan or apply, it assumes the IAM role or exchanges an OIDC token — credentials exist only for the duration of the operation and are never written to disk or logs.
For AWS, GCP, and Azure, ops0 uses short-lived token exchange. You cannot accidentally leak access keys because ops0 does not store them.
All communication between your browser, the ops0 platform, and your cloud providers uses TLS 1.3. Internal service-to-service traffic is also encrypted in transit.
| Data | Encryption |
|---|---|
| Database (PostgreSQL) | AES-256 |
| Terraform state files | AES-256 with provider-managed keys |
| Secrets stored in ops0 | AES-256, envelope-encrypted with a per-org key |
| Audit logs | AES-256 |
| Oracle Cloud API keys | AES-256 |
ops0 stores Terraform state in the backend you configure (S3, Azure Blob, GCS). State files never transit through ops0 servers — the IaC runner reads and writes directly to your configured bucket using the assumed role.
The ops0 agent deployed into your cluster uses outbound-only WebSocket connections to the ops0 control plane. No inbound ports are opened on your cluster. The agent:
Terraform plan and apply runs execute inside ops0's isolated execution environment:
ops0 uses fine-grained access control via OpenFGA (an open-source authorization engine). Every action — viewing a project, triggering a deployment, reading a secret — is an explicit permission check.
| Role | What they can do |
|---|---|
| Owner | Full access including billing and organization settings |
| Admin | Manage users, integrations, and all projects |
| Developer | Create and deploy projects; cannot manage org settings |
| Viewer | Read-only access to projects and deployments |
Custom roles are available on Enterprise plans.
API keys are scoped to an organization and can be restricted to specific operations. Keys are:
Every action in ops0 is logged:
| Event category | Examples |
|---|---|
| Authentication | Login, logout, SSO, failed attempts |
| Infrastructure | Plan triggered, apply completed, destroy initiated |
| Access changes | User invited, role changed, SSO configured |
| Credentials | Integration added, integration removed, secret accessed |
| Admin actions | Organization settings changed, billing updated |
Audit logs include: timestamp, actor (user ID + email), IP address, action, resource affected, and outcome.
Logs are retained for 90 days on standard plans and 1 year on Enterprise plans. Logs can be exported or streamed to your SIEM via the Alerts integration.
Secrets stored in ops0 (Settings → Sensitive Data) are:
Terraform state files can contain resource attribute values, including generated passwords and keys. Ensure your state backend (S3, GCS, Azure Blob) has appropriate access controls and encryption enabled.
ops0 automatically scans IaC code for security misconfigurations during the plan phase using Checkov:
If you discover a security vulnerability in ops0, please report it to security@ops0.ai. We follow coordinated disclosure and aim to respond within 48 hours.
Do not disclose vulnerabilities publicly before we have had a chance to address them.
