Security & Trust

Clear boundaries around your data, secrets, and generated code.

OwnYourOps generates customer-specific infrastructure code. This page explains what we store, what we do not store, how credentials are handled, and what belongs to you after delivery.

Contact Security View Sample Output

Generated code Customer-owned after purchase

Project secrets Encrypted, masked, write-only in UI

Payment cards Handled by Stripe, not stored here

SOC 2 status Not completed yet, on roadmap

Compliance status SOC 2 is not completed today.

We do not claim SOC 2 compliance without an audit report. The current approach is to operate in a SOC 2-ready direction, answer security questions transparently, and start the formal audit path when customer procurement requirements justify it.

Data handling

What OwnYourOps stores.

We store the data needed to create, generate, support, and maintain your project. We avoid storing raw operational credentials unless you explicitly choose a path that requires encrypted project secrets.

Account and billing records

Name, email, company, account settings, product update preference, package selections, entitlement status, and payment records. Payment card details are processed by Stripe.

Project configuration

Your selected environments, AWS regions, EKS, networking, monitoring, ingress, IAM, security, applications, CI/CD, and deployment preferences.

Generated package records

Generation status, package metadata, template version, generated output paths, validation results, and generation history used by the dashboard and support flow.

Support requests and snapshots

Support threads attach project ID, current step, package, generation status, validation errors, missing-secret metadata, recent activity, and support snapshots. Secret values are not included.

Secrets and credentials

Secrets are handled as project secrets, not normal configuration text.

For integrations that need credentials, customers can either configure them later in their own environment or store them as encrypted project secrets when generation requires them.

Write-only pattern Saved project secrets can be replaced or deleted, but the dashboard does not display the raw value back to the user. Secret lists show masked values only.

Encrypted at rest

Project secrets are encrypted before storage using the platform encryption service and decrypted only when needed for generation or regeneration.

Masked in the UI

The dashboard shows whether a required secret is present, not the full secret value.

Configure later when supported

For providers such as Datadog, New Relic, Grafana Cloud, and private registries, supported paths can defer credential entry so Terraform or Helm does not fail during generation.

Self-deploy by default

The standard deployment path runs in your environment. Managed Install access, if used, should be scoped for the work and revoked after completion.

We do

Generate private Terraform, Helm, CI/CD, validation, and documentation for your project.
Attach support context so issues can be triaged without asking for the same project details repeatedly.
Use no-reply support emails that link back to the dashboard thread.
Keep generated code customer-owned after purchase.
Support project deletion/archive behavior and account-data requests through support.

We do not

Claim SOC 2 compliance before an audit is complete.
Store full payment card numbers in OwnYourOps.
Publish full customer-generated code as a public sample.
Include raw secret values in support snapshots.
Require standard customers to join Slack for support.

Ownership

The generated code belongs to the customer.

OwnYourOps is not a rented infrastructure runtime. After checkout and generation, the delivered Terraform, Helm charts, CI/CD workflows, scripts, and docs are generated for your project and handed over as customer-owned code.

Inspectable You can review generated Terraform, Helm, CI/CD, and docs before deployment.

Modifiable Your team can edit, extend, replace, or remove generated modules and values.

Portable The output uses standard infrastructure tooling instead of a proprietary runtime.