Trust & Safety

Your infra. Our
responsibility.

DunOps executes operations on your infrastructure. We treat that trust as a first-class engineering constraint — not a checkbox. Here's exactly how we protect your data and credentials.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

Zero

Plaintext secrets — ever

100%

Mutations need your approval

Defence in depth

Six security layers

Each layer is designed and audited independently. A breach of one does not cascade to the others.

Infrastructure

Hosted on AWS us-east-1 with multi-AZ redundancy
Fargate compute — no persistent VM footprint
RDS PostgreSQL with automated encrypted backups
CloudFront + WAF on all public endpoints
VPC isolation: database never exposed to internet

Encryption

All data encrypted at rest with AES-256
TLS 1.3 enforced for all data in transit
Provider tokens encrypted with per-workspace envelope keys
Database connections require TLS — plaintext rejected
S3 buckets block all public access by policy

Authentication

No passwords — OTP codes and magic links only
OTP codes expire in 10 minutes, single-use
Magic links are signed, time-bound, POST-only consumed
Session cookies: httpOnly, SameSite=Strict, no JS access
Unauthenticated requests rejected at gateway with 401

Secrets management

Provider credentials (GitHub, Vercel, DNS) never in plaintext
Tokens never appear in logs or error messages
Internal credentials rotated on every deploy
No hardcoded secrets — enforced via pre-commit scan
Secrets deleted immediately on provider disconnect

Data isolation

Workspace data isolated at database row level
Cross-workspace access is structurally impossible
API routes validate workspace membership independently
Playbooks and workflows are workspace-private by default

Confirm before mutate

No infrastructure change runs without explicit approval
Every mutation surfaces a diff or plan before execution
Approvals are logged with exact timestamp and user
Approving one action never authorises the next

Responsible disclosure

Found something?
Tell us first.

We welcome responsible disclosure from security researchers. If you find a vulnerability in DunOps, please report it before public disclosure so we can address it promptly and give you full credit.

We commit to acknowledging every report within 48 hours and shipping fixes within 14 days for critical issues. We do not ask for silence beyond a reasonable coordinated-disclosure window.

Report a vulnerability →

Send a report

Email security@dunops.com with a description, reproduction steps, and any proof-of-concept. Encrypted email available on request.

We acknowledge in 48 h

You'll receive a confirmation with a tracking reference. We triage by severity and loop in the right engineers.

We patch

We aim to ship a fix within 14 days for critical issues, 30 days for high severity. We keep you updated throughout.

Coordinated disclosure

We work with you on public-disclosure timing and give full credit in our changelog. We don't ask for silence beyond a reasonable window.

Got questions?

Security audits, questionnaires & compliance

For penetration test results, compliance documentation, or enterprise security questionnaires, reach out directly.

security@dunops.com Read privacy policy →

Your infra. Ourresponsibility.