1. Overview

MissionOpsAI Ltd (company registration number 14437210) is committed to maintaining the highest practical standards of information security for the MissionOpsAI Platform and all data entrusted to us by our clients. This Security Policy describes the technical and organisational measures we implement to protect the confidentiality, integrity, and availability of platform data.

Our security practices are aligned with the principles of ISO/IEC 27001 and we are progressing towards formal certification. For clients operating in regulated sectors, we note our alignment with ISO 42001 (AI management systems) and the Ministry of Defence's JSP 936 AI assurance framework where applicable.

2. Infrastructure and Data Residency

All MissionOpsAI Platform infrastructure is hosted on dedicated servers provided by Hetzner Online GmbH, located in data centres in Germany and Finland. Both locations are within the European Economic Area. We do not use US-based public cloud providers (such as AWS, Azure, or Google Cloud) for primary platform hosting or data storage.

This architecture ensures that client data does not transit through or reside in US jurisdiction as part of normal platform operations, addressing concerns relevant to US CLOUD Act reach. Data does not leave EEA infrastructure except where explicitly required for AI inference via API providers, in which case IDTA-compliant transfer safeguards are applied and data is not retained by those providers.

Our data centres operate to ISO 27001, ISO 9001, and ISO 14001 standards and maintain multiple certifications including SOC 2 equivalents and EN 50600 (data centre facilities) compliance.

3. Encryption

Data at rest: All client data stored on the MissionOpsAI Platform is encrypted using AES-256. Database volumes, backups, and file storage are all subject to full encryption. Encryption keys are managed separately from encrypted data.

Data in transit: All communications between clients and the Platform are encrypted using TLS 1.3. We do not support TLS 1.1 or earlier. HTTP connections are automatically redirected to HTTPS. API communications are secured using TLS 1.3 with forward secrecy.

Authentication tokens: Session tokens and authentication credentials are stored using industry-standard hashing (bcrypt with a work factor appropriate to current hardware capabilities) and are never stored in plaintext.

4. Access Controls

We implement the principle of least privilege throughout our systems. Access to client data is restricted to authorised MissionOpsAI personnel who require it to deliver the service. We maintain an access register and review permissions regularly. All administrative access requires multi-factor authentication.

Within the Platform, clients can implement role-based access controls (RBAC) to restrict data access to appropriate users within their own organisations. Audit logs record all significant access events for the purpose of security monitoring and incident response.

Remote access to infrastructure is restricted to VPN or SSH with public-key authentication. Password-based SSH authentication is disabled on all production systems.

5. Vulnerability Management

We conduct regular vulnerability assessments of the MissionOpsAI Platform and underlying infrastructure. Identified vulnerabilities are triaged by severity and remediated within defined timescales: critical vulnerabilities within 24 hours, high severity within 7 days, medium severity within 30 days.

Software dependencies are monitored for known vulnerabilities using automated tooling. We maintain a process for applying security patches promptly. Platform updates are tested in a staging environment before deployment to production.

6. Incident Response

We maintain a documented incident response plan covering detection, containment, investigation, remediation, and post-incident review. In the event of a security incident affecting client data:

We will notify affected clients without undue delay and within 72 hours where required under UK GDPR.
We will provide information about the nature of the incident, data affected, and remediation steps taken.
We will cooperate fully with any regulatory investigation.
Post-incident reviews will be used to improve our security controls.

7. Business Continuity and Backups

Client data is backed up daily with backups retained for 30 days. Backups are encrypted and stored separately from primary data. We test backup restoration procedures regularly. Our recovery time objective (RTO) is 4 hours and recovery point objective (RPO) is 24 hours for planned disaster recovery scenarios.

8. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities from security researchers and the public. If you believe you have discovered a vulnerability in the MissionOpsAI Platform or our infrastructure, please contact us at security@missionopsai.com.

We commit to: acknowledging your report within 2 business days; investigating and keeping you informed of progress; working to remediate valid vulnerabilities promptly; and not taking legal action against researchers who act in good faith in accordance with this disclosure policy. We ask that you do not publicly disclose vulnerabilities before we have had a reasonable opportunity to remediate them.

9. Standards Alignment

Our security programme is aligned with the following frameworks:

ISO/IEC 27001 — Information Security Management System principles (certification in progress).
ISO/IEC 42001 — AI Management System standard, addressing responsible AI development and deployment.
JSP 936 — Ministry of Defence AI Principles & Practices, relevant for defence-sector clients.
UK GDPR / DPA 2018 — Data protection by design and by default.
Cyber Essentials — Baseline cyber hygiene principles maintained across our systems.

10. Contact

For security-related enquiries, vulnerability reports, or to request our security documentation pack, contact security@missionopsai.com.

For general legal enquiries: legal@missionopsai.com.