Security

Security Overview

How we protect your data, your infrastructure, and your operations. Security is foundational to everything we build.

These terms are provided as a framework and should be reviewed by qualified legal counsel before reliance.

Last updated: 15 February 2026

1. Our Approach to Security

At MissionOpsAI, security is not a feature -- it is a foundational principle that shapes every aspect of our platform, our operations, and our culture. We build AI operations systems for organisations in regulated industries where the consequences of a security failure are not merely inconvenient but potentially existential: regulatory sanctions, compromised safety, loss of public trust.

Our security philosophy is built on three pillars:

  • Sovereignty: Your data stays under your control. We operate sovereign infrastructure so that you never have to trust a third party with your most sensitive assets.
  • Defence in depth: We implement multiple, overlapping layers of security controls so that no single point of failure can compromise the system.
  • Transparency: We believe trust is earned through openness. This document describes our security practices at a high level. For detailed technical discussions, please contact our security team directly.

We continuously review and improve our security posture in response to emerging threats, evolving best practices, and feedback from our customers and the security community.

2. Data Encryption

Protecting data confidentiality is a core obligation. We apply strong encryption at every stage of the data lifecycle.

2.1 Encryption in Transit

All data transmitted to and from MissionOpsAI services is encrypted using Transport Layer Security (TLS) 1.2 or higher. This applies to all communication channels, including web interfaces, API endpoints, and internal service-to-service communication. We enforce HTTPS across all endpoints and employ HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks.

2.2 Encryption at Rest

All data stored within MissionOpsAI systems is encrypted at rest using AES-256 encryption or equivalent. This includes databases, file storage, backups, and logs. Encryption keys are managed through secure key management practices with appropriate access controls, rotation schedules, and separation of duties.

3. Access Controls

We implement strict access controls to ensure that only authorised individuals can access systems, data, and functionality appropriate to their role.

  • Role-based access control (RBAC): Access to the platform and internal systems is governed by the principle of least privilege. Users and personnel are granted only the minimum permissions necessary to perform their specific functions.
  • Multi-factor authentication (MFA): MFA is required for all administrative access to production systems and is available for all customer accounts. We strongly recommend that all users enable MFA.
  • Session management: Sessions are subject to automatic timeouts, secure token handling, and protection against session fixation and hijacking.
  • Access reviews: We conduct regular reviews of access permissions to ensure they remain appropriate and promptly revoke access when personnel change roles or leave the organisation.
  • Audit logging: All access to systems and data is logged, including authentication events, permission changes, and data access. Audit logs are tamper-resistant and retained for compliance purposes.

4. Infrastructure Security

MissionOpsAI operates sovereign infrastructure designed to meet the needs of organisations that require full control over where their data resides and how it is processed.

  • Sovereign hosting: Our infrastructure is hosted within the United Kingdom, ensuring that customer data remains subject to UK jurisdiction and data protection law. We do not rely on hyperscale cloud providers for the storage or processing of customer data unless explicitly agreed with the customer.
  • UK data centres: Our hosting facilities are located in UK data centres that maintain appropriate physical security controls, including 24/7 security personnel, CCTV surveillance, biometric access controls, and environmental protections (fire suppression, climate control, redundant power).
  • Network security: Our infrastructure is protected by firewalls, intrusion detection and prevention systems, and network segmentation. We maintain strict controls over inbound and outbound network traffic.
  • Redundancy and resilience: Critical systems are designed with redundancy to minimise the impact of hardware failures. We maintain backup and disaster recovery procedures to ensure business continuity.

5. Incident Response

We maintain a structured incident response process to ensure that security events are detected, contained, investigated, and resolved promptly and effectively.

  • Detection: We employ continuous monitoring, automated alerting, and log analysis to detect potential security incidents in real time.
  • Classification: Incidents are classified by severity to ensure appropriate escalation and resource allocation. Critical incidents trigger immediate response procedures.
  • Containment and remediation: Upon detection, our incident response team works to contain the incident, minimise impact, preserve evidence, and restore affected systems to normal operation.
  • Notification: Where a security incident affects customer data, we will notify affected customers without undue delay and in accordance with our contractual obligations and applicable law. We aim to provide initial notification within 48 hours of confirmed impact.
  • Post-incident review: Following resolution, we conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement improvements to prevent recurrence.

6. Vulnerability Management

We take a proactive approach to identifying and addressing vulnerabilities before they can be exploited.

  • Regular scanning: We conduct regular automated vulnerability scans across our infrastructure and applications to identify potential weaknesses.
  • Penetration testing: We commission periodic penetration tests by qualified independent security professionals to assess our defences from an attacker's perspective.
  • Patch management: We maintain a structured patch management process to ensure that security patches and updates are evaluated and applied promptly. Critical security patches are prioritised for expedited deployment.
  • Secure development: Our development practices incorporate security throughout the software development lifecycle, including code review, static analysis, dependency scanning, and security testing prior to release.
  • Dependency management: We monitor third-party dependencies for known vulnerabilities and update or replace them as necessary.

7. Employee Security

Our people are a critical part of our security posture. We invest in ensuring that every member of the MissionOpsAI team understands and upholds their security responsibilities.

  • Background checks: All personnel undergo appropriate background verification as part of the hiring process, to the extent permitted by applicable law.
  • Security training: All employees receive security awareness training upon joining and on a regular ongoing basis. Training covers topics including phishing, social engineering, data handling, and incident reporting.
  • Acceptable use: All personnel are bound by our internal acceptable use and information security policies, which set clear expectations for the handling of customer data and company systems.
  • Confidentiality: All personnel with access to customer data are bound by contractual confidentiality obligations.
  • Offboarding: When personnel leave the organisation or change roles, access to systems and data is promptly revoked in accordance with our access management procedures.

8. Compliance and Standards

We align our security practices with recognised international standards and regulatory frameworks to ensure we meet the expectations of organisations in regulated industries.

  • ISO 27001 alignment: Our information security management practices are aligned with the ISO/IEC 27001 standard. We implement controls across all domains of the standard, including risk assessment, access control, cryptography, operations security, communications security, and supplier relationships.
  • UK GDPR and Data Protection Act 2018: We process personal data in accordance with the UK GDPR and the Data Protection Act 2018. Our Privacy Policy and Data Processing Agreement set out our commitments in detail.
  • Governance and audit: Our platform is designed to support our customers' own compliance requirements through comprehensive audit logging, governance controls, approval workflows, and reporting capabilities.
  • Continuous improvement: We regularly review our compliance posture against evolving standards and regulatory requirements, and we engage with external auditors and assessors to validate our practices.

9. Responsible Disclosure

We value the work of the security research community and welcome responsible disclosure of any vulnerabilities or security concerns affecting MissionOpsAI services.

If you believe you have discovered a security vulnerability in any MissionOpsAI product or service, we ask that you:

  • Report the vulnerability to us privately at security@missionopsai.com before making any public disclosure
  • Provide sufficient detail to allow us to reproduce and verify the issue, including steps to reproduce, affected components, and potential impact
  • Allow us a reasonable period to investigate and address the vulnerability before any public disclosure -- we request a minimum of 90 days
  • Refrain from accessing, modifying, or deleting data belonging to other users during your research
  • Refrain from any activity that could disrupt, degrade, or damage the Services or their users

We commit to:

  • Acknowledging receipt of your report within 3 business days
  • Providing regular updates on the status of our investigation and remediation
  • Not pursuing legal action against researchers who act in good faith and in accordance with this disclosure policy
  • Crediting researchers (with their consent) for valid vulnerability reports

10. Contact

If you have any questions about our security practices, wish to report a security concern, or need to discuss specific security requirements for your organisation, please contact our security team:

For customers with specific security or compliance requirements, we are happy to discuss our practices in further detail, provide additional documentation, or arrange calls with our security team.