Security at CoreOP

Last Updated: May 6, 2026

Security is foundational to CoreOP. We protect your business data with controls designed for a modern, multi-tenant SaaS platform. This page summarizes how we approach security across infrastructure, application, data, and operations. For contractual security commitments, see our Data Protection Addendum at coreop.io/legal/dpa.

Infrastructure

CoreOP is hosted on enterprise-grade cloud infrastructure provided by Vercel (application hosting and edge delivery) and Supabase (managed Postgres database, authentication, and storage), each running on top of major hyperscale providers. This means CoreOP inherits the physical security, environmental controls, network protections, and compliance posture of the underlying infrastructure providers.

We rely on these providers' published certifications and reports — including SOC 2 Type II, ISO 27001, and similar industry standards held by our infrastructure partners — for the physical and lower-layer controls below the application. CoreOP itself is on a path toward independent SOC 2 Type II attestation as we mature.

Encryption

  • In transit. All traffic to and from the Service is encrypted with TLS 1.2 or higher. We use modern cipher suites and HSTS to prevent downgrade attacks.
  • At rest. Customer data is encrypted at rest using AES-256 or equivalent, applied at the database, storage, and backup layers by our infrastructure providers.
  • Secrets. API keys, OAuth tokens, and other sensitive configuration values are stored in encrypted secret stores and are never written to source code repositories.

Tenant Isolation

CoreOP is multi-tenant. We isolate tenant data through:

  • Row-level security (RLS). Every multi-tenant table in our Postgres database has RLS policies that enforce tenant boundaries at the database level. A request for data must include valid tenant context; data not belonging to that tenant is not returned.
  • Authenticated session context. Tenant context is derived from the authenticated user's session, not from client-supplied identifiers.
  • Defense in depth. Application-layer authorization checks run in addition to RLS, so a single layer's failure does not expose another tenant's data.

Authentication and Access Control

  • End users. Accounts support strong passwords, optional two-factor authentication, and OAuth-based sign-in (including Google).
  • Administrative access. CoreOP personnel access to production systems requires individual accounts, multi-factor authentication, and is limited to those with a job-related need.
  • Role-based access. The Service supports role-based permissions so Vendor administrators can grant least-privilege access within their organization.
  • Session management. Sessions expire after periods of inactivity. Users can sign out remotely from active sessions.

Payment Security

CoreOP uses Stripe for payment processing. Card numbers and bank account details are entered directly into Stripe's hosted payment fields and are tokenized by Stripe; CoreOP never sees, stores, or transmits raw card numbers. Stripe is certified as a PCI Service Provider Level 1, the most stringent level of PCI-DSS compliance.

Application Security

  • Secure development. We follow modern secure coding practices, including input validation, parameterized database queries, output encoding, and avoidance of dangerous patterns.
  • Code review. Production code changes are reviewed before merge, and high-risk changes receive additional scrutiny.
  • Dependency management. We monitor application dependencies for known vulnerabilities and apply security updates based on severity.
  • Static analysis. Automated checks run on every code change to catch common security issues before they reach production.

Logging and Monitoring

  • We log authentication events, administrative actions, and security-relevant application events.
  • Logs are retained for a period appropriate to investigation needs and are protected against tampering.
  • We monitor for anomalies, error rates, and indicators of compromise, with alerting on suspicious patterns.

Backups and Resilience

  • Customer data is backed up automatically on a regular schedule by our database provider.
  • We test restore procedures.
  • The Service is designed to recover from common failure modes without data loss.

Incident Response

CoreOP maintains an incident response plan that covers detection, triage, containment, eradication, recovery, customer notification (where required), and post-incident review.

If a confirmed Security Incident affects your data, we will notify affected customers without undue delay and within the timelines required by our Data Protection Addendum and applicable law.

To report a suspected security issue, see "Coordinated Disclosure" below.

Subprocessors

CoreOP uses a limited set of trusted subprocessors to operate the Service, each evaluated for security posture and bound by contractual confidentiality, security, and data protection obligations. The current list is available on request by emailing support@coreop.io.

Coordinated Disclosure

We welcome reports from security researchers. If you believe you have discovered a vulnerability in CoreOP, email security@coreop.io with:

  • A description of the issue and where you found it
  • Steps to reproduce
  • Any proof-of-concept code or screenshots
  • How we can reach you for follow-up

We commit to:

  • Acknowledging your report within 5 business days
  • Providing a status update within 10 business days
  • Working in good faith toward a remediation timeline appropriate to the severity
  • Not pursuing legal action against researchers who follow this policy in good faith, do not access or modify other customers' data, and give us a reasonable opportunity to address the issue before public disclosure

We do not currently operate a paid bug bounty program, but we recognize meaningful contributions in our public acknowledgments where the researcher consents.

Personnel

  • All personnel with access to production systems sign confidentiality agreements.
  • Personnel receive periodic security and privacy training.
  • Access is reviewed periodically and revoked promptly on role change or departure.

Compliance Posture

CoreOP designs its controls to support compliance with the privacy and data protection laws applicable to our customers, including:

  • The Texas Data Privacy and Security Act
  • The California Consumer Privacy Act, as amended
  • Other comprehensive U.S. state privacy laws
  • The EU General Data Protection Regulation and UK GDPR, where applicable

CoreOP is not a HIPAA-covered entity or business associate. Do not upload protected health information to the Service unless we have agreed in writing.

Roadmap

The following are on our security roadmap. We list them transparently rather than overstating current state:

  • Independent SOC 2 Type II attestation
  • Expanded penetration testing program
  • Customer-managed encryption keys for enterprise tier
  • Single sign-on (SAML / OIDC) for enterprise customers
  • Advanced audit log export

Questions

For security questions, contact security@coreop.io. For privacy questions, contact support@coreop.io. For contractual commitments, see our Data Protection Addendum at coreop.io/legal/dpa.