OwnYourOps generates customer-specific infrastructure code. This page explains what we store, what we do not store, how credentials are handled, and what belongs to you after delivery.
OwnYourOps does not claim SOC 2 compliance today. The platform is operated against a SOC 2-ready control set, and the formal Type I audit is scoped to start during Q3 2026 with a target report date in Q4 2026. We publish progress here and answer security questionnaires transparently in the meantime.
Project secrets are encrypted before storage using industry-standard symmetric encryption with message authentication. Database storage is encrypted. The infrastructure we generate for you defaults to encrypted disks and a managed secret store for application credentials.
All customer-facing traffic uses modern TLS with automatic certificate renewal. Traffic between internal services stays on a private network.
Control scoping: Q2 2026. Readiness assessment: Q3 2026. Audit window and report: Q4 2026. Auditor and scope announced before the audit starts.
The infrastructure we generate supports a HIPAA-eligible configuration: private networking, encryption at rest, audit logging, and least-privilege access. OwnYourOps does not sign BAAs today because the platform itself does not process PHI. Customers running PHI workloads own their BAAs and configuration review.
Payment processing is handled entirely by a PCI-compliant payment processor. OwnYourOps never stores or transmits primary account numbers. The infrastructure we generate supports customers operating PCI-scoped workloads; full PCI DSS attestation of the generated stack remains the customer's responsibility.
Pinned infrastructure components are checked against upstream releases on a weekly cadence, and drift is surfaced for prompt review. The output we generate ships with dependency and image scanning in CI/CD on every tier.
We store the data needed to create, generate, support, and maintain your project. We avoid storing raw operational credentials unless you explicitly choose a path that requires encrypted project secrets.
Name, email, company, account settings, product update preference, package selections, entitlement status, and payment records. Payment card details are processed by Stripe.
Your selected environments, AWS regions, EKS, networking, monitoring, ingress, IAM, security, applications, CI/CD, and deployment preferences.
Generation status, package metadata, template version, generated output paths, validation results, and generation history used by the dashboard and support flow.
Support threads attach project ID, current step, package, generation status, validation errors, missing-secret metadata, recent activity, and support snapshots. Secret values are not included.
For integrations that need credentials, customers can either configure them later in their own environment or store them as encrypted project secrets when generation requires them.
Project secrets are encrypted before storage using the platform encryption service and decrypted only when needed for generation or regeneration.
The dashboard shows whether a required secret is present, not the full secret value.
For providers such as Datadog, New Relic, Grafana Cloud, and private registries, supported paths can defer credential entry so Terraform or Helm does not fail during generation.
The standard deployment path runs in your environment. Managed Install access, if used, should be scoped for the work and revoked after completion.
You don't configure any of this. You don't need to know what half of it means. Every generated project ships with the protections below on day one, set up the way a senior platform engineer would do it by hand over two weeks.
SECURITY_CHECKLIST.md that lists exactly what's on and maps it to SOC 2 and CIS benchmarks. You hand it over instead of filling out a questionnaire from scratch.
If one of your apps gets compromised, the attacker can't pivot into your AWS account through the node it's running on. This is how a lot of cloud breaches actually happen, and it's shut off at the metal.
When a customer or auditor asks "who did what, and when?" you have the answer in CloudWatch. Pre-answers a large chunk of the SOC 2 and compliance questionnaires.
Each service gets only the AWS access it needs. No hardcoded access keys sitting in environment variables, Git history, or container images. The modern pattern, set up for you.
Database credentials, third-party tokens, and anything else sensitive stay in AWS Secrets Manager and get pulled into apps at startup. Nothing sensitive ever touches Git or your Helm charts.
Worker nodes sit inside a private network. Only load balancers face the outside world. There's nothing public for an attacker to SSH into because there's no public door.
If a hard drive gets pulled out of a rack, or a backup gets copied off, the contents are scrambled. On by default. You don't flip a switch.
OwnYourOps is not a rented infrastructure runtime. After checkout and generation, the delivered Terraform, Helm charts, CI/CD workflows, scripts, and docs are generated for your project and handed over as customer-owned code.
Ask before you buy. We will answer what is implemented today, what is configurable, and what is still on the roadmap.