OpsBridge Legal

Security

This page explains current OpsBridge security practices in plain language. It is a trust resource for customers and prospects, not a certification report or formal legal opinion.

Effective date: May 6, 2026

Security at OpsBridge

OpsBridge is designed to support cleaning and field-service businesses with operational workflows, customer records, team activity, invoices, proposals, communications, and service execution data. Security decisions are made to keep workspace access clear, provider credentials server-side, and operational records accountable.

Workspace and Role-Based Access

OpsBridge separates business workspace access from Team Member Portal and Customer Portal access. Workspace users, team members, and customers should only receive the access needed for their role and workflow.

  • Business workspace access is intended for company operators and managers.
  • Team Member Portal access is intended for field staff and assigned task execution.
  • Customer Portal access is intended for customer-facing requests, appointments, proposals, invoices, and updates.

Team Member and Customer Portal Boundaries

Team Member Portal and Customer Portal experiences are intentionally separate from the business workspace. Team members should see assigned operational work, while customers should see customer-facing service information. Internal workspace controls, provider configuration, billing administration, and platform administration should not be exposed through those portal surfaces.

Tenant and Workspace Boundaries

OpsBridge is built around workspace boundaries so business data can be scoped to the appropriate company environment. Customers and team members should not be given access to unrelated workspace records, and administrators are responsible for managing invited users and access-code distribution carefully.

Server-Side Secrets and Environment Variables

Provider credentials are designed to remain server-side and are not intended to be exposed through public client variables. Integrations such as communications providers should use private environment variables, safe feature flags, and disabled-by-default behavior until the provider is configured and approved for production use.

Provider Credentials and Public Client Secrets

OpsBridge is designed to avoid exposing sensitive provider credentials through public client-side variables. Email, SMS, billing, storage, and other provider credentials should remain in private server-side configuration and should not be embedded in public pages, browser bundles, or customer-facing links.

Authentication and Access-Code Controls

OpsBridge uses authenticated business workspace access together with access-code based entry surfaces for Team Member and Customer Portal workflows. Access codes should be treated as sensitive operational credentials and distributed only to the intended recipient. Access-code validation is intended to confirm the submitted code and route the recipient into the appropriate portal context, not to create broad workspace access.

Infrastructure and Managed Services

OpsBridge uses managed cloud infrastructure and may use services such as Supabase for parts of its application data layer. Managed provider security programs do not mean OpsBridge itself holds the same certifications. Customers should evaluate OpsBridge security documentation and any provider documentation separately.

Data Protection Practices

OpsBridge is designed to protect operational data through scoped access, server-side provider configuration, structured application workflows, and conservative communications behavior. Customers are responsible for the accuracy of the information they enter and for limiting access to authorized staff and customer contacts. The Privacy Policy explains how OpsBridge describes collection, use, sharing, and retention of operational data.

Operational Event Records

Certain workflows may keep operational records such as task activity, clock events, invoice status, proposal status, and communication delivery results. These records support accountability, customer service, and business review. They should not be treated as payroll, legal, or compliance records unless a separate written policy says so.

Communications Safety

OpsBridge communications are intended for operational notices such as access codes, appointment updates, proposal review notices, invoice review notices, service request updates, customer workspace updates, and team task updates. Communications providers should remain gated by server-side configuration, recipient eligibility checks, and applicable opt-out requirements.

Responsible Disclosure and Security Contact

If you believe you have found a security issue in OpsBridge, contact us at info@opsbridgeapp.com and include "Security" in the subject line. Please do not access, modify, delete, or disclose data that does not belong to you.

What We Do Not Claim

This page describes current security practices and design intent. It is not a certification report, audit report, or guarantee. OpsBridge does not claim SOC 2, HIPAA, ISO, PCI, GDPR, CCPA, or other formal certification status on this page.

Future Security Roadmap

OpsBridge may expand security documentation, operational logging, provider approval workflows, and administrative controls over time. Future roadmap items should not be interpreted as currently available features or guarantees.

Security | OpsBridge