Skip to main content
OpsWork
Menu

Security

Your data never leaves your walls.

OpsWork is designed for a paranoid customer. Every architectural decision favours your perimeter over our convenience. The agents run inside your tenant; we never proxy your data through a third party.

Tenant-resident architecture

OpsWork runs in your Microsoft 365 tenant. SharePoint, Outlook, Teams, Key Vault — all in your perimeter. We never proxy your data through a third party.

Customer-own model access

Customer data is only processed by models accessed via your own Azure OpenAI / Foundry deployments. The MCP server refuses requests from any other tenant.

UK data residency

Production processing is pinned to UK South. EU South is the only failover region. No data egress to US or Asia.

Audit trail by default

Every agent decision logged with sha256-digested arguments. No raw payloads retained. Replayable against test fixtures without retention risk.

Secrets in Key Vault, RBAC only

No secrets in Function App config, no secrets in environment variables, no secrets in source. Function Apps reach Key Vault via managed identity with 'Key Vault Secrets User' role only.

GDPR-aligned offboarding

11-step plan-as-code completes inside 30 days. Erasure certificate issued at the end. Statutory retention (HMRC 6y, professional indemnity 15y, construction records 12y) honoured.

Certifications + roadmap.

We publish the path, not just the destination. If a control isn't in place yet, it's listed here with the date it will be.

Cyber Essentials Plus
In progress — Q3 2026
ISO 27001:2022
Target Q1 2027 (Stage 1 audit booked)
Cloud-native security baseline
Microsoft Defender for Cloud (Free CSPM tier) + Conditional Access (Entra ID P1) at customer go-live
Penetration testing
Annual, by CREST-registered third party (first test 2026 Q4)

Sub-processors.

We use only the minimum third parties needed. Each is contracted with a DPA, a UK transfer addendum, and a 30-day breach notification clause.

  • Cloudflare (CDN, Pages, Analytics)
  • Azure (compute, model inference)
  • Microsoft 365 (mail, SharePoint, Teams)
  • Office365 Connector (outbound email)

Webfonts (Manrope, IBM Plex Mono) are self-hosted from this site's own origin — Google Fonts is not a sub-processor.

A current and dated sub-processor list is available on request.

Security questionnaire ready.

Send us your DDQ / SIG-Lite / your DNO's standard supply-chain questionnaire. We typically return it inside three working days.

Send us a questionnaire