Log inStart free
Compliance

Compliance posture

How OpsIQ approaches GDPR, CCPA, HIPAA, ISO and SOC frameworks โ€” what we do today, what we are working toward, and where you can request reports.

Effective: May 9, 2026
Owner: OpsIQ Security & Compliance
Sub-processor list: See /privacy#share

1. Overview

OpsIQ is engineered with controls aligned to the major data-protection and security frameworks. We take the position that compliance is a continuous practice โ€” the controls below are the substance, the certifications are the audit. We disclose where we are at every stage so you can match our posture to your procurement requirements.

2. GDPR & UK GDPR

  • Lawful basis documented per processing activity โ€” see Privacy ยง4.
  • Data subject rights implemented self-serve in the Account portal: access, rectification, export, restriction, erasure.
  • Data Processing Agreement available for every customer โ€” /dpa.
  • Standard Contractual Clauses attached to international transfers.
  • EU data residency available on the Cloud platform.
  • 72-hour breach notification commitment to controllers when personal data is affected.

3. CCPA / CPRA

  • "Do Not Sell or Share" signal honoured globally โ€” we do not sell personal data.
  • Per-customer data export and deletion endpoints exposed via API and Account portal.
  • Disclosure of categories of personal data collected โ€” see Privacy ยง2.

4. HIPAA (Business plan)

OpsIQ supports HIPAA-aligned configurations on the Business plan. A Business Associate Agreement (BAA) is available for customers handling Protected Health Information (PHI). Configuration prerequisites:

  • Dedicated cloud tenant or self-hosted deployment
  • Role separation enforced (no shared admin accounts)
  • Audit log retention extended to 6 years
  • AI provider with a HIPAA-compliant offering selected (e.g. Anthropic enterprise tier)

Request a BAA at compliance@opsiqai.com.

5. SOC 2 readiness

We operate to SOC 2 Type II controls and are pursuing formal certification. The control set we apply today covers: security, availability, processing integrity, confidentiality and privacy. A control matrix is available under NDA on request.

6. ISO 27001 alignment

Our information security management system is aligned with ISO/IEC 27001:2022 Annex A controls. Internal policies covering risk, access, change, incident, supplier and continuity management are reviewed annually.

7. Payment card handling (PCI)

OpsIQ does not store card numbers. All payment data is tokenised by the gateway you choose (Stripe, Paystack, PayPal). Your PCI scope on OpsIQ is limited to the SAQ-A self-assessment form for redirect/iframe acceptance.

8. Sub-processors

The current sub-processor list is in Privacy ยง5. Material additions are notified to admins at least 30 days in advance, with a right to object that may result in termination if we cannot accommodate.

9. Incident response

  • 24/7 on-call rotation for P0 incidents.
  • Initial customer notification within 1 hour for confirmed P0; 4 hours for P1.
  • Post-incident review (RCA) published to affected customers within 5 business days.
  • Live status at /status.

10. Request a report

Available under NDA: SOC 2 progress letter, penetration test summary, architecture diagram, control matrix, sub-processor agreement summary. Email compliance@opsiqai.com.