Security & Trust
Everything on this page is meant to be checked, not just believed. Specific facts about what we touch, where your data lives, and where we are on certifications — including the parts we're still working on.
Where we are, honestly
Opsight is an early-stage, founder-led company. We are not SOC 2 certified yet, and we'd rather tell you that plainly than imply a badge we haven't earned. Here's what that actually means for your data:
- We run entirely on SOC 2 Type II–certified infrastructure (Supabase, Vercel, Stripe) — the controls those platforms are audited for protect your data today.
- The security practices a SOC 2 audit looks for — encryption, least-privilege access, encrypted secrets, audit logging — are already how we build.
- Our own SOC 2 Type II is on the roadmap. We start formal certification as we grow, and we'll post progress on this page as we go — in the open.
If your security review requires a vendor SOC 2 report today, tell us — we'll walk your team through our current controls and timeline directly. support@opsighthq.com
Exactly what we access
We're a coaching tool, not a deal-intelligence platform. We read the handful of fields NOVA needs to coach you on your process — and the notes you choose to write. Nothing else.
What we read from your CRM
- →Deal / opportunity name
- →Amount & expected close date
- →Stage & company / account name
- →Next step and the deal description / notes reps write — this is what NOVA coaches on
What we never touch
- Email content, threads, or attachments
- Call recordings or transcripts
- Contracts, proposals, or documents
- Forecast / probability metrics
- Contact lists or customer financials
- Any object outside Opportunities (we never delete or bulk-export)
You decide what we can see
We connect over OAuth 2.0 — you never give us a password, and we store only an encrypted access token, never your credentials. You can revoke our access in one click from your CRM's settings at any time.
For Salesforce, we request the standard api scope — not full access. That scope is the only way an integration can read records at all, and — this is the important part — it can never exceed the permissions your admin grants the connecting user.Your admin sets, through a permission set, the exact data we can reach. The scope is the door; your permission set is the lock, and you hold the key. This is the principle of least privilege, and we hold ourselves to it.
Where your data lives & how it's protected
AES-256 encryption at rest and TLS 1.2+ in transit. OAuth tokens are encrypted with AES-256-GCM before they ever hit the database.
Hosted on US-based, SOC 2 Type II–certified infrastructure (Supabase, Vercel).
Disconnect anytime to immediately revoke access. Request permanent deletion yourself from Privacy & Data settings (or email support@opsighthq.com) — we remove it from our systems within 30 days, automatically.
We never sell your data, never share it with other customers, and never use it to train AI models for anyone else.
AI & your data
NOVA's coaching is generated using the Anthropic (Claude) API as our primary provider. When you ask for coaching, only the relevant deal context and notes are sent to generate a response. OpenAI is configured strictly as a backup — it is used only in the rare event Anthropic is unavailable, so your coaching keeps working.
- Both providers' API terms state they do not train their models on data sent through the API.
- We send only what's needed to coach the deal in front of you — never your whole CRM.
- We are finalizing zero-retention API terms with Anthropic (our primary provider), so deal data sent for coaching isn't retained after the response.
Sub-processors
The third parties we use to run Opsight, what they do, and what data they touch. We'll update this list before adding a new one that handles your data.
| Provider | Purpose | Region | Compliance |
|---|---|---|---|
| Supabase | Database & authentication (where your account and imported deal data live) | United States | SOC 2 Type II, ISO 27001 |
| Vercel | Application hosting & delivery | United States | SOC 2 Type II |
| Anthropic (Claude API) | AI coaching generation — our primary AI provider | United States | SOC 2 Type II · does not train on API data |
| OpenAI API | Backup AI provider only — used solely if Anthropic is unavailable | United States | SOC 2 Type II · does not train on API data |
| Stripe | Billing & payments | United States | PCI DSS Level 1, SOC 2 |
| Resend | Transactional email | United States | SOC 2 Type II |
Agreements & privacy
- Data Processing Agreement (DPA) available on request for customers who need one — email support@opsighthq.com.
- We maintain Data Processing Agreements with our sub-processors (the providers listed above).
- GDPR & CCPA: we don't sell personal data and honor access and deletion requests — deletion is permanent within 30 days of your request. For EU customers, our DPA includes Standard Contractual Clauses.
- Read our full Privacy Policy and Terms.
A real person stands behind this
Opsight is founder-built. If you have a security question, want to review our controls before you connect, or need something for your IT team, you won't hit a ticket queue — you'll reach a human who can actually answer. That direct line is something we can offer that bigger vendors can't.
support@opsighthq.comQuestions about connecting your CRM? See the Salesforce setup guide.