Security.
How Optale defends what customers run on us. The summary lives here. Customer-specific commitments live in your DPA and SLA.
Encryption
In transit. TLS 1.2 or higher on every public surface. Internal service-to-service traffic over private networks.
At rest. Encrypted disks for all data stores. Customer secrets sit in vault-protected stores with access logged.
Access control
Single sign-on plus multi-factor authentication on every internal surface. Role-based access with least-privilege defaults. Every privileged action is logged to Control and reviewable by the customer admin who owns the workspace.
Infrastructure
Hosting in Norway and the EU. Production runs on a small set of vendors listed in the customer DPA. We do not silently rotate sub-processors. Material changes are notified in advance.
Vulnerability management
Dependency scans run on every deploy. Security findings go through the same incident pipeline as operational issues. No quiet fixes; if something needed patching, it shows up in the changelog.
Incident response
Customer-affecting incidents are reported within the window agreed in your DPA. Post-incident notes are written and shared, including timeline, root cause, and what changed to prevent recurrence.
Customer admin controls
Every customer gets admin-level visibility into:
- which agents run on their data
- what tools each agent can use
- approval policies and budget caps
- the full Control trace for every agent action
The same surface lets admins suspend an agent, rotate a credential, or revoke a tool in one click.
Reporting a vulnerability
Write to kontakt@optale.com with the subject line beginning [security]. We acknowledge inside 48 hours and update you with a fix plan or status within 5 business days.
We do not run a public bug bounty today. We do thank researchers who report responsibly.