Trust Center

Security, Privacy
& Compliance

Everything you need to evaluate OperatorMesh for your team — data handling, infrastructure, security architecture, and compliance roadmap. We believe in full transparency.

All systems operational status.operatormesh.com →

Data Architecture

Zero raw data retention — by design

This is not a policy promise. It is an architectural constraint. OperatorMesh runs on stateless Netlify serverless functions. These functions have no persistent storage. Raw logs are processed in memory and discarded when the function exits. This happens automatically — we have no mechanism to store raw incident data even if we wanted to.

Processing pipeline

Your input

Logs / alert

→

Transport

HTTPS TLS 1.3

→

Processing

Memory only

→

AI analysis

Anthropic API

→

Result

Structured JSON

→

Raw input

Discarded

Only structured results (root cause, confidence scores, actions) are saved — and only if you are signed in.

✓Raw logs never written to disk — serverless functions are stateless by design

✓No model training on your data — API calls to Anthropic are zero-retention under our agreement

✓No human review of your incidents — analysis is fully automated, no Anthropic or OperatorMesh employee reads your data

✓Structured results only — if signed in, only root cause, confidence scores, and actions are saved. Never raw logs.

✓Delete anytime — every analysis in your dashboard has a delete button. Email founder@operatormesh.com to delete all data.

Infrastructure

Infrastructure details

Component	Provider	Details
Frontend hosting	Netlify CDN	Global CDN, 99.99% uptime SLA, automatic HTTPS
Serverless functions	Netlify Functions	AWS Lambda under the hood, stateless execution, auto-scaling
Database	Supabase (AWS us-east-1)	PostgreSQL, SOC2 Type II certified, Row-Level Security enforced
AI inference	Anthropic Claude API	Zero-retention API agreement, no training on inputs
AI fallback	OpenAI GPT-4o	Automatic failover if primary unavailable
Payments	Lemon Squeezy	PCI DSS compliant, we never see card data
Email	Resend	Transactional only — account confirmation, usage nudges
Analytics	Plausible	Cookie-free, no fingerprinting, GDPR compliant
Transport	TLS 1.3	All traffic encrypted in transit, enforced by Netlify
Processing region	United States	AWS us-east-1 primary. EU processing available on request.

Security

Security architecture

🔐

Authentication

Supabase Auth with JWT tokens. Row-Level Security policies enforce data isolation — users can only access their own data. Service role keys never exposed to browsers.

🛡️

API security

All API keys stored as Netlify environment variables — never in source code. Rate limiting at 15 requests/minute per IP. Bot protection on all endpoints.

🌐

Network security

Security headers enforced: CSP, X-Frame-Options, X-Content-Type-Options, HSTS. All traffic HTTPS-only. No mixed content.

🔑

Webhook security

HMAC-SHA256 signature verification on all incoming webhooks. Replay attack prevention via 5-minute timestamp window. Deduplication fingerprinting prevents duplicate alerts.

📦

Minimal attack surface

No heavy JS frameworks. Vanilla HTML + serverless functions. No agents installed in your infrastructure. Webhook-only ingestion model.

🗑️

Data minimisation

We collect the minimum necessary: email, plan, usage count, structured analysis results. No raw logs. No service names. No infrastructure topology stored.

✓Vulnerability disclosure: Email founder@operatormesh.com — we respond within 24 hours

✓Dependency updates: Reviewed monthly

→Bug bounty program: Planned Q3 2026

→Penetration testing: Planned Q3 2026

Compliance

Compliance roadmap

✓ LIVE

GDPR

Data Processing Agreement available. EU data subject rights supported. Cookie-free analytics.

✓ LIVE

Privacy by Design

Zero raw retention architecture. Data minimisation enforced. No third-party data sharing.

→ 2026

SOC 2 Type II

Audit preparation underway via Vanta. Target: Q4 2026. Available for enterprise evaluation on request.

→ 2026

ISO 27001

Security management framework alignment in progress. Target Q1 2027.

→ Q3 2026

HIPAA

BAA available for healthcare customers on Pro+ plans on request. Architecture is HIPAA-compatible.

✓ LIVE

Data Processing Agreement

DPA available for Pro and Enterprise customers. Email founder@operatormesh.com to request.

Responsible AI

How we use AI responsibly

✓Advisory only — no automated actions: OperatorMesh never takes automated actions on your infrastructure. Every recommendation requires human approval.

✓Calibrated confidence scores: We show separate diagnosis and remediation confidence scores. Low confidence triggers an escalation warning — we tell you when not to trust us.

✓Rejected hypotheses: Every triage shows what alternative causes were considered and eliminated — not just the answer, but the reasoning.

✓Missing signals disclosed: We tell you what evidence would increase confidence — acknowledging our own uncertainty explicitly.

✓Multi-LLM fallback: Primary: Anthropic Claude. Fallback: OpenAI GPT-4o. No single-provider dependency.

✓Accuracy benchmark published: We publish honest accuracy metrics including failure cases. See benchmark.html.

Security questions or enterprise evaluation?

Praveen B Ballari — Founder, OperatorMesh. I respond to every security and compliance inquiry personally, typically within 24 hours.

founder@operatormesh.com

✉ Request security review Privacy policy →

Security, Privacy& Compliance

Zero raw data retention — by design

Infrastructure details

Security architecture

Compliance roadmap

How we use AI responsibly

Security questions or enterprise evaluation?

Security, Privacy
& Compliance