Security and Trust

Organizations entrusting OPSCOM with permit data, payment records, enforcement history, and security incident information have a legitimate need to understand how that data is protected. This page explains how OPSCOM approaches data security, what controls are in place, and where we are in our compliance journey.

Our Security Posture

Security has been a core design consideration in OperationsCommander since the platform’s earliest days — long before compliance frameworks made it mandatory. Handling credit card data, personal information, and sensitive enforcement records from day one shaped how the platform was built and continues to shape how it evolves.

For organizations that want to review our current security controls, policies, and compliance documentation directly, our Trust Center is the authoritative source:

View the OPSCOM Trust Center — powered by Drata

Compliance and Certifications

SOC 2 Type 2 — In Progress

OPSCOM is currently pursuing SOC 2 Type 2 certification. SOC 2 Type 2 audits ongoing security controls over a sustained period — it is a more rigorous and meaningful standard than a point-in-time assessment. We expect to complete this process in the near future. Current compliance documentation and control details are available through our Trust Center.

PCI DSS Compliance

OPSCOM uses a hosted payment model for all payment processing. Cardholder data is handled directly by trusted third-party payment providers — including Moneris, TouchNet, Chase Paymentech, Authorize.net, and PayPal — rather than passing through OPSCOM systems. This hosted approach eliminates the most significant PCI DSS obligations for client organizations while maintaining a seamless payment experience for end users.

FedRAMP

OPSCOM has recently begun the FedRAMP authorization process. FedRAMP is a US federal government security framework required for cloud services used by federal agencies. We will provide updates as this process advances.

Platform Security Controls

Data encryption

All data transmitted between users, client systems, and OPSCOM servers is encrypted using SSL/TLS protocols — the same standard used by financial institutions and major enterprise platforms. Data at rest is encrypted and hosted in a secure, managed cloud environment.

Password security

User passwords are stored using hashed and salted encryption. Plain text passwords are never stored or accessible to administrators. Password resets are completed through secure system-generated links — passwords are never transmitted in plain text via email or any other channel.

Role-based access controls

Every OPSCOM module supports configurable role-based access controls. Administrators define precisely what each user role can see, create, edit, or manage. Sensitive records — investigation files, financial data, enforcement history — are accessible only to personnel with appropriate authorization. This protects both client data and limits internal liability from accidental access or overstep.

Audit trails

Every action taken within OPSCOM is logged with a timestamp and the identity of the user who performed it. Audit trails are complete and tamper-evident — supporting compliance reviews, legal proceedings, and internal accountability requirements. In cases where the system determines a comment is appropriate, it is required before the action can be completed.

Hosted infrastructure

OPSCOM is a fully cloud-hosted platform. Client organizations do not manage servers, apply patches, or maintain infrastructure. Security updates, bug fixes, and maintenance are handled by the OPSCOM team — typically without any client-side action required. Uptime and availability are monitored continuously.

Configurable security settings

Organizations can configure additional security controls to match their internal policies:

• Password strength requirements — minimum length, character complexity, username/password separation
• Password expiry intervals — configurable per organizational policy
• Login lockout protocols — limits on failed attempts before account lockout, configurable by IP or account criteria
• Regular account audits — reviewing active accounts, access patterns, and permission appropriateness

Implementation and Onboarding

Every OPSCOM deployment is implementation-driven rather than self-serve. The OPSCOM team works with each organization to configure the platform for their specific operational requirements — user types, permit structures, enforcement rules, integrations, workflows, and branding — before go-live.

Implementation does not require custom software development. OPSCOM is a configurable platform — the vast majority of organizational requirements are addressed through administrative configuration settings rather than code modifications. For more detail on the platform’s configurability, see the OPSCOM Customization overview.

For organizations with specific implementation questions or compliance requirements that need direct discussion, contact us to speak with the team directly.

Support

Every OPSCOM client receives the same level of support — there are no tiered response times or feature-gated support plans. Our team is available Monday through Friday, 9am to 5pm EST, with email support and escalation paths available outside those hours for urgent situations.

Support is not a separate service — it is part of how we operate. The testimonials throughout this site reflect that approach: clients describe reaching the team quickly, getting issues resolved promptly, and feeling like a genuine partner rather than a ticket number.

For support enquiries: Contact Us

Questions About Security or Compliance?

For organizations with specific security requirements, compliance questionnaires, or procurement-related questions, the best starting point is a direct conversation with the OPSCOM team.

Contact us to discuss your requirements or review our current security documentation in the Trust Center.