Security and Trust

Trust Center

Opheleon helps teams plan complex software work, which means customers may bring business goals, product requirements, system designs, implementation details, and code-aware context into the product. Security, privacy, and careful data handling are core to how Opheleon is operated.

This page is intended for customers, prospects, and security reviewers. It summarizes public security practices at a buyer-friendly level. Additional technical detail and vendor questionnaire support are available during customer review.

Security Overview Data Protection Infrastructure Security Identity and Access Application Security AI and Data Processing Code Handling Integrations Logging and Monitoring Reliability and Recovery Data Lifecycle Secure Development Compliance Readiness

Security Overview

Opheleon uses cloud-hosted infrastructure with separate production and non-production environments. Production systems are designed around scoped access, private data stores, encrypted traffic, monitored operations, and account-level authorization.

Protect production data stores from direct public exposure.
Encrypt data in transit and at rest where customer content is stored.
Use scoped identity and access controls for people, workloads, and automation.
Enforce account-level authorization in the application.
Handle third-party integrations with limited permissions and secure token storage.
Monitor production systems for availability, operational health, and security-relevant events.

Data Protection

Customer workflow content may include project metadata, goals, tasks, generated planning documents, repository-derived context, comments, and related outputs. Opheleon stores this content to provide product functionality, history, continuity, and recovery.

Production data stores are private and encrypted at rest. Traffic to public product endpoints is served over encrypted connections. Integration credentials and sensitive application secrets are stored with protections appropriate to their use.

Infrastructure Security

Opheleon runs in managed cloud infrastructure with network boundaries that separate public entry points from internal services. Sensitive production services are kept private and are not intended to be reachable directly from the public internet.

Static marketing, documentation, and application assets are served through managed delivery infrastructure with private origin storage.

Identity and Access

Protected product routes require authenticated access. Application resources such as projects, tasks, documents, integrations, and account settings are tied to accounts, and backend authorization checks enforce access within the appropriate account boundary.

Enterprise identity and access requirements can be reviewed with customers during vendor evaluation.

Application Security

Opheleon uses structured API schemas and request validation for product endpoints. Application controls are designed to reject unsupported input, enforce account boundaries, and limit access to authorized resources.

Additional secure development lifecycle details are available during vendor review.

AI and Data Processing

Opheleon uses AI model providers to support planning workflows such as drafting, review, code-aware context, and implementation planning. Depending on the workflow, customer-provided prompts, task descriptions, document content, repository-derived context, generated outputs, tool results, and metadata may be processed by configured providers.

Opheleon is designed around human-reviewed AI workflows. Generated planning documents and implementation outputs are drafts until reviewed and approved by the customer team.

Customers can request the current list of AI subprocessors, provider data-use terms, and customer-specific review materials.

Code Handling

Opheleon can connect to customer repositories to analyze existing systems, generate implementation context, summarize code changes, and support code-aware planning workflows.

When repository access is used, Opheleon retrieves the code needed for the requested workflow and uses agents to analyze relevant files, dependencies, implementation patterns, and recent changes. This analysis helps generate planning documents, codebase summaries, review context, and implementation-ready outputs.

Opheleon is designed to limit how long raw code needs to remain in active processing. Temporary working copies used during agent analysis are cleaned up after the agent task completes. Opheleon may retain derived outputs, such as generated planning documents, code-change summaries, agent messages, metadata, and review results, where needed to provide product functionality, history, continuity, recovery, and auditability.

Code-derived context may be sent to configured AI model providers when required for product functionality. Opheleon will never use customer code to train AI models. As an additional layer before code is read by analysis agents, Opheleon applies best-effort secret redaction intended to detect common password, API key, token, and credential-like patterns. These safeguards reduce unnecessary exposure of sensitive values, but should not be interpreted as a guarantee that customer-submitted code contains no sensitive data.

Repository access can be disconnected through supported integration controls. Customers can contact Opheleon for additional details about repository access, AI subprocessors, data retention, and customer-specific security requirements.

Integrations

Opheleon integrates with services such as GitHub, Linear, Trello, billing, customer communication, and AI/model infrastructure providers. Integration access is scoped to the permissions needed for product workflows, such as repository context, issue creation, billing, lead capture, or workflow automation.

Users can disconnect supported integrations from within the product. When provider-side revocation is available, Opheleon attempts to revoke access with the provider and deactivates local integration state.

Logging and Monitoring

Opheleon uses logging and monitoring across application and infrastructure components to support operational debugging, availability review, and investigation of important events.

Selected account and document events are recorded for operational traceability. Audit coverage continues to evolve with the product.

Reliability and Recovery

Production services use managed infrastructure features for backups, monitoring, deployment, and recovery-oriented operations. Customer-specific availability or recovery commitments can be reviewed during contract discussions.

Data Lifecycle

Customers can request account deletion through the product. Deletion workflows are designed to deactivate the account first, then complete final removal through an internal finalization process after the configured eligibility period.

Secure Development

Opheleon uses controlled deployment workflows and automated checks as part of software delivery. Infrastructure and application changes are managed through version-controlled processes, with testing and review practices evolving as the product matures.

Compliance Readiness

Opheleon is building toward formal compliance readiness with controls around identity, encryption, backups, monitoring, logging, account-level authorization, and operational access. Formal certifications or regulatory attestations will be documented separately when available.

Contact

For security documentation, vendor questionnaires, or additional review materials, contact the Opheleon team.