§ SECURITY · POSTURE

Security.

How Optale defends what customers run on us. The summary lives here. Customer-specific commitments live in your DPA and SLA.

Encryption

In transit. TLS 1.2 or higher on every public surface. Internal service-to-service traffic over private networks.

At rest. Encrypted disks for all data stores. Customer secrets sit in vault-protected stores with access logged.

Access control

Single sign-on plus multi-factor authentication on every internal surface. Role-based access with least-privilege defaults. Every privileged action is logged to Control and reviewable by the customer admin who owns the workspace.

Infrastructure

Hosting in Norway and the EU. Production runs on a small set of vendors listed in the customer DPA. We do not silently rotate sub-processors. Material changes are notified in advance.

Vulnerability management

Dependency scans run on every deploy. Security findings go through the same incident pipeline as operational issues. No quiet fixes; if something needed patching, it shows up in the changelog.

Incident response

Customer-affecting incidents are reported within the window agreed in your DPA. Post-incident notes are written and shared, including timeline, root cause, and what changed to prevent recurrence.

Customer admin controls

Every customer gets admin-level visibility into:

  • which agents run on their data
  • what tools each agent can use
  • approval policies and budget caps
  • the full Control trace for every agent action

The same surface lets admins suspend an agent, rotate a credential, or revoke a tool in one click.

Reporting a vulnerability

Write to kontakt@optale.com with the subject line beginning [security]. We acknowledge inside 48 hours and update you with a fix plan or status within 5 business days.

We do not run a public bug bounty today. We do thank researchers who report responsibly.