Open Doors

Trust Center

Security practices

The engineering and operational controls that protect your data.

Last updated: 24 April 2026

Security at Open Doors is a product function, not a bolt-on. It covers the platform we build, the infrastructure we run on, the people who have access, and the processes that tie them together. This page is a plain-English summary; customers under NDA can request our SOC 2 report for the full detail.

Encryption

  • In transit — TLS 1.2 or higher for every connection. HSTS preloaded on primary domains.
  • At rest — AES-256 applied at the storage layer. Sensitive fields additionally encrypted at the application layer.
  • Key management — keys stored in a managed key service, rotated regularly, never embedded in code.

Authentication and access control

  • Strong password requirements and breach-password screening.
  • Optional two-factor authentication (authenticator app or SMS); admins can enforce 2FA workspace-wide.
  • SAML SSO for Enterprise plans (Okta, Azure AD, Google Workspace, generic SAML 2.0).
  • Least-privilege permissions with granular per-module roles.
  • Audit logs on every privileged action (available on Pro and Enterprise).

Application security

  • Secure SDLC with threat-modelling on new features.
  • Static and dynamic application security testing (SAST/DAST) in CI.
  • Dependency scanning and patch windows for critical vulnerabilities.
  • Annual third-party penetration test with remediation tracked to closure.
  • Continuous bug-bounty programme (see Responsible Disclosure).

Infrastructure

  • Hosted on major cloud providers with SOC 2, ISO 27001, and regional compliance certifications.
  • Redundancy across availability zones.
  • Automated backups with point-in-time recovery. Backups encrypted and tested via quarterly restores.
  • Network segmentation and private subnets for databases and internal services.
  • DDoS protection and Web Application Firewall at the edge.

Detection and response

  • Centralised security logging with 365-day retention.
  • Continuous monitoring and alerting on suspicious authentication, privilege escalation, and data-access patterns.
  • Documented incident-response runbooks, tested annually.
  • 24/7 on-call rotation for security and availability events.

Personnel and vendor risk

  • Background checks for employees handling customer data, where legally permitted.
  • Mandatory security and privacy training at onboarding and annually.
  • All vendor access reviewed and justified; revoked on offboarding.
  • Vendor-risk review before any sub-processor is added.

Resilience

Availability target 99.9% monthly. Business continuity and disaster-recovery plans tested annually. Current status and any incidents are published at /status.

Questions about this page? Contact privacy@opendoors.ai.

← Back to Privacy & Security