Security & Privacy

Built for engineers who
can't afford a breach at 2AM.

OperatorMesh is stateless by design. Your incident logs are processed in memory and discarded immediately — never written to disk, never used for training, never shared.

🔒Logs never stored
🚫No model training
🔌No agents installed
👤Human-in-the-loop

What happens to your logs

Webhook-triggered analysis (auto-triage)
🔔
Alert firesPagerDuty / Datadog sends webhook payload
Netlify FunctionPayload received in serverless function memory
🤖
AI analysisSent to Anthropic API — discarded after response
💬
Result deliveredRoot cause sent to Slack. Raw logs discarded.
🗑
Memory clearedFunction terminates. Nothing persists.
Dashboard analysis (manual paste)
📋
You paste logsInput entered in browser
🤖
AI analysisSent to Anthropic API over HTTPS
📊
Result savedAnalysis result (not raw logs) saved to your account
🔑
Your controlDelete any analysis anytime from dashboard

Security by design, not policy

🏗
Stateless serverless functions
Every analysis runs in an isolated Netlify Function that terminates after the response. No database connection. No file system writes. No shared memory between requests. Your data cannot persist even if we wanted it to.
🔌
No agents — ever
OperatorMesh uses webhook ingestion only. Nothing is installed on your infrastructure. No daemon processes, no network agents, no SSH access required. Zero footprint on your systems.
🧠
No training on your data
We use the Anthropic API under a zero data retention agreement. API inputs are not used to train models. Your incident patterns are not used to improve anyone's AI system.
👤
Human-in-the-loop always
OperatorMesh recommends, never executes. No automated infrastructure changes. No auto-remediation. Every fix requires a human decision. Confidence scores tell you when to act vs escalate.
📷
Screenshot privacy
Images are compressed in your browser before upload (Canvas API). They are sent to the vision model for text extraction and discarded immediately after. Screenshots are never stored.
🔐
Encryption in transit
All traffic uses TLS 1.3. Webhook endpoints enforce HTTPS. API keys are never logged. Supabase auth tokens are short-lived and rotated automatically.

Exactly what we do and don't do with AI

🤖 Anthropic Claude API — usage policy
Are your logs used to train AI models?
No. Never. API inputs are processed and discarded under our provider agreement.
Does OperatorMesh store raw logs?
No. Webhook-triggered analyses run in memory and are discarded when the function terminates.
What is stored in the dashboard?
The analysis result only — root cause, confidence, actions. Never the raw log payload.
Can I delete my analysis history?
Yes. Any time. From the dashboard. Deletion is permanent and immediate.
Which AI model processes my data?
Anthropic Claude (claude-haiku-4-5 for speed, claude-sonnet-4-6 for complex analyses). No other models used.
Is OperatorMesh output advisory or autonomous?
Advisory only. OperatorMesh never executes fixes, restarts services, or modifies infrastructure.
What happens to screenshot images?
Compressed in browser → sent to vision API → text extracted → image discarded. Never stored.

Current status and roadmap

Standard Status Notes
HTTPS / TLS 1.3 ✓ Live All endpoints. Enforced by Netlify CDN.
Zero data retention (webhooks) ✓ Live Architecturally enforced — stateless functions.
User data deletion ✓ Live Delete any analysis from dashboard. Immediate.
No model training on user data ✓ Live Anthropic API zero-retention agreement.
Status page ✓ Live operatormesh-status.instatus.com
GDPR compliance Planned DPA available on request. Full certification planned.
SOC 2 Type II Planned Roadmap: Q1 2027. Available for enterprise customers.
ISO 27001 Planned Roadmap: Q2 2027.
Penetration testing Planned Scheduled for Q4 2026.

Found a vulnerability?

📧
Report to: security@operatormesh.com — or directly to the founder at founder@operatormesh.com
Response time: We acknowledge all reports within 24 hours and aim to resolve critical issues within 72 hours.
🤝
Good faith: We commit to not pursuing legal action against researchers who report issues responsibly and give us reasonable time to respond.
🏆
Recognition: Researchers who identify valid security issues will be acknowledged publicly (with permission) and receive free Pro access.

Security questions or enterprise review?

We understand that infrastructure tooling requires a higher bar of scrutiny. If your security team needs a custom review, architecture diagram, or DPA — reach out directly.

📧 Contact the founder directly
Praveen B Ballari · founder@operatormesh.com · Usually responds within 4 hours