OpteraOS Security Overview
Last updated: February 20, 2026
1. Infrastructure
- Hosted on Vercel for global edge performance
- Supabase for PostgreSQL, Auth, and Storage
- Multi-AZ redundancy
2. Data Protection
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Strict access controls
- Audit logs for sensitive operations
3. Application Security
- OWASP-aligned engineering practices
- Input validation (Zod + server-side checks)
- Rate limiting and abuse protection
- Regular dependency audits
4. AI Security
- AI inference only; no training on customer data
- Sensitive data filtering
- Logged and monitored API calls
5. Responsible Disclosure
Security researchers may report issues to:
security@opteraos.com6. Business Continuity
- Automated backups
- Disaster recovery procedures
- Monitoring & alerting
OpteraOS Privacy Policy
Last updated: February 20, 2026
1. Introduction
OpteraOS ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website, platform, and services.
2. Information We Collect
2.1 Information You Provide
- Account details (name, email, password)
- Firm information (company name, size, billing details)
- Uploaded files (BOEs, spreadsheets, documents)
- Messages, comments, or support requests
2.2 Automatically Collected Information
We use analytics services to understand how users interact with OpteraOS:
- Google Analytics (website and web application): Collects device and browser information, IP address, pages visited, session duration, and user interactions. Google Analytics uses cookies to distinguish users and sessions.
- Firebase Analytics (mobile application): Collects device information, app usage events, crash reports, and performance data. Firebase may collect mobile advertising identifiers unless you opt out through your device settings.
These services are operated by Google LLC. For details on how Google processes this data, see Google's Privacy Policy.
2.3 Third‑Party Integrations
If you connect external services (Google, Microsoft, etc.), we may access:
- Calendar and contact data
- File metadata
- Authentication tokens
3. How We Use Your Information
- Provide and maintain the OpteraOS platform
- Improve product features and user experience
- Secure accounts and prevent fraud
- Deliver customer support
- Process payments (when applicable)
- Analyze aggregated system usage
4. How We Store and Protect Data
- Encryption in transit (HTTPS/TLS)
- Encryption at rest (Supabase/Postgres)
- Access controls and audit logging
- Regular security reviews
5. Sharing of Information
We do not sell user data.
We may share data with:
- Trusted service providers (hosting, analytics, email)
- Payment processors
- Legal authorities, if required
5.1 Third-Party Analytics Providers
We use the following third-party services that process data on our behalf:
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Google Analytics | Google LLC | Website and web app analytics | Link |
| Firebase | Google LLC | Mobile app analytics and crash reporting | Link |
These providers may transfer data to servers located outside your country of residence, including to the United States. Google participates in the EU-U.S. Data Privacy Framework.
6. Data Retention
We retain data as long as your account remains active.
Backups are stored securely for disaster‑recovery purposes.
6.1 Analytics Data Retention
Google Analytics data is retained for 14 months, after which it is automatically deleted. Firebase Analytics data follows Google's standard retention policies. You may request deletion of your data by contacting us at privacy@opteraos.com.
7. Your Rights
Depending on your region, you may request:
- Access to your data
- Correction or deletion
- Export of your data
- Opt‑out of certain processing
To opt out of analytics tracking:
- Web: Install the Google Analytics Opt-out Browser Add-on
- Mobile: Adjust "Limit Ad Tracking" (iOS) or "Opt out of Ads Personalization" (Android) in your device settings
8. Children's Privacy
OpteraOS is not intended for users under 16.
9. Changes to Policy
We may update this Privacy Policy. Updates are posted on our website.
10. Contact
privacy@opteraos.comOpteraOS End User License Agreement (EULA)
Last updated: February 20, 2026
1. Acceptance of Terms
By using OpteraOS, you ("User") agree to this EULA.
2. License Grant
User receives a limited, non-exclusive license to access and use OpteraOS for their organization's internal business operations.
3. User Responsibilities
Users must:
- Keep account credentials secure
- Use the platform responsibly
- Follow all applicable laws
Users may NOT:
- Share logins
- Upload harmful, illegal, or sensitive content
- Reverse-engineer or disrupt the platform
4. Data & Content
User retains ownership of uploaded content.
OpteraOS processes data solely per the Privacy Policy and DPA.
5. AI Features
- AI outputs must be reviewed by User
- Sensitive personal data must not be input
- Data is not used to train public models
6. Termination
Access may be revoked for violations of this EULA or workspace policy.
7. Disclaimer
OpteraOS is provided "as-is" without warranties.
8. Contact
support@opteraos.comOpteraOS Service Level Agreement (SLA)
Last updated: February 20, 2026
1. Overview
This Service Level Agreement ("SLA") defines uptime, support responsiveness, and service commitments provided by OpteraOS ("Provider") to customers ("Customer").
2. Service Availability
OpteraOS targets 99.5% uptime monthly, excluding:
- Scheduled maintenance
- Issues caused by Customer systems or misuse
- Internet, ISP, or external network failures
- Third‑party provider outages (Vercel, Supabase, OpenAI, Resend)
3. Scheduled Maintenance
We may perform maintenance with advanced notice. Emergency maintenance may occur as needed to preserve stability and security.
4. Support Response Times
| Severity | Description | Response Time |
|---|---|---|
| SEV‑1 | Full platform outage | ≤ 4 business hours |
| SEV‑2 | Major degraded functionality | ≤ 1 business day |
| SEV‑3 | Minor issue or bug | ≤ 2–3 business days |
| SEV‑4 | General questions & requests | ≤ 3–5 business days |
Support Hours: Mon–Fri, 9am–5pm PT
5. Backups & Disaster Recovery
- Daily automated backups
- Retention: 7–30 days
- Disaster recovery objective: 24–48 hours
6. Data Security Measures
- TLS encryption in transit
- Encrypted PostgreSQL storage
- Access control and audit logging
- Continuous monitoring
7. Exclusions
This SLA does not apply to:
- Beta features
- Free-plan accounts
- Customer misconfigurations
- Force majeure events
8. Remedies
If uptime drops below SLA levels, Customers may request service credits equal to the percentage of downtime.
9. Contact
support@opteraos.comOpteraOS Acceptable Use Policy (AUP)
Last updated: February 20, 2026
1. Purpose
This AUP ensures safe, compliant use of OpteraOS.
2. Prohibited Activities
Users may NOT:
- Upload malware, harmful, or illegal content
- Violate data privacy laws
- Attempt unauthorized access
- Perform security testing without permission
- Abuse free-tier AI resources
- Harass or harm other users
3. AI Usage Rules
- Do not input sensitive personal data
- Review all AI-generated outputs
- Do not automate spam or harmful workflows
4. Resource Limits
We may throttle excessive usage that impacts service health.
5. Enforcement
Violations may result in suspension or termination.
6. Contact
legal@opteraos.comOpteraOS Data Processing Addendum (DPA)
Last updated: February 20, 2026
1. Introduction
This Data Processing Addendum ("DPA") forms part of the Terms & Conditions between Customer ("Controller") and OpteraOS ("Processor").
2. Subject Matter
Processor will process Customer Personal Data solely for purposes of delivering the OpteraOS platform.
3. Roles
- Customer = Data Controller
- OpteraOS = Data Processor
4. Processing Activities
- Storage and retrieval of customer data
- Structured data processing for CRM/Projects/Finance
- AI-assisted operations (non-training)
- Customer support operations
5. Data Categories
- User account data
- Firm and project data
- Uploaded files (BOEs, spreadsheets, docs)
- Usage metadata
6. Subprocessors
OpteraOS uses trusted providers:
- Vercel (hosting)
- Supabase (database, auth, storage)
- Resend (email)
- OpenAI (AI inference only — no training)
7. Security Measures
- TLS encryption
- Encryption at rest
- Role-based access control
- Audit logging
- Regular security reviews
8. Data Subject Rights
Processor assists Controller with:
- Access
- Deletion
- Correction
- Export
9. International Transfers
Transfers follow GDPR Standard Contractual Clauses.
10. Breach Notification
Processor notifies Controller without undue delay after discovering a breach.
11. Data Deletion
All Customer Data is deleted upon request or 30 days after account termination.
12. Contact
privacy@opteraos.comOpteraOS GDPR Compliance Statement
Last updated: February 20, 2026
1. Commitment
OpteraOS complies with GDPR and processes personal data lawfully, fairly, and transparently.
2. Lawful Basis
We process data under:
- Performance of contract
- Legitimate interest
- User consent
3. Data Subject Rights
Under GDPR, users may:
- Access data
- Request deletion
- Request correction
- Export data
- Object to processing
4. Data Processing
All data is encrypted and stored in compliant infrastructure.
5. International Transfers
We use SCCs for EU→US transfers.
6. Data Protection Officer
privacy@opteraos.comCalifornia Privacy Rights Addendum (CCPA)
Last updated: February 20, 2026
1. Applicability
This Addendum applies to California residents under the CCPA/CPRA.
2. Consumer Rights
California users may:
- Request access to personal information
- Request deletion
- Request correction
- Opt out of sale or sharing (we do NOT sell data)
3. Categories of Data Collected
- Identifiers (name, email)
- Commercial information (subscription details)
- Usage data
- Uploaded BOEs/files
4. Sensitive Data
We do not collect or process sensitive personal data.
5. Non-Discrimination
Users exercising their rights are not penalized.
6. Contact
privacy@opteraos.comOpteraOS Refund Policy
Last updated: February 20, 2026
1. General Refund Policy
OpteraOS subscriptions are billed monthly or annually.
All payments are non-refundable, except in the cases listed below.
2. Refund Exceptions
We provide refunds for:
- Duplicate charges
- Accidental upgrades (if reported within 7 days)
- System-wide outages exceeding SLA guarantees
- Billing errors
3. Non‑Refundable Items
We do not offer refunds for:
- Partial months of service
- Unused time on paid plans
- Changes in firm size or inactivity
- Downgrades mid-cycle
4. Cancellation
Users may cancel at any time.
Service remains active until the end of the billing period.
5. Annual Plans
Annual payments are discounted and non-refundable.
6. Trials & Guarantees
If a free trial is offered, the user will not be charged until after the trial ends.
7. Contact
billing@opteraos.comOpen Source Attribution
Last updated: February 20, 2026
Carbon Design System
OpteraOS uses components from the Carbon Design System, which is licensed under the Apache License 2.0.
Copyright IBM Corp. 2016, 2025
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Source code available at: https://github.com/carbon-design-system/carbon