Security

Last reviewed: March 2026

Our commitment

We take the security of your data seriously. Here's exactly how we protect it — no vague claims, no meaningless badges. Just honest practices from a consultancy that handles client information with care.

Data handling

During engagements, we collect only what's necessary: contact information (name, email, company) from forms and booking, conversation notes from stakeholder interviews, and assessment results from our free tools.

Form submissions are retained for 12 months. Sprint deliverables are retained until you request deletion, or 24 months post-engagement — whichever comes first. When an engagement ends, we delete your data from all systems upon request.

Infrastructure security

All connections to opsprint.ai are encrypted via HTTPS. Our backend runs in isolated Docker containers with rate limiting on all API endpoints. Server timeouts are configured to prevent abuse.

We use structured JSON logging with no client personally identifiable information in logs. Our server configuration follows security best practices including read/write timeouts and header size limits.

Access controls

OpSprint currently operates as a single-person consultancy. Only the founder has access to all systems. Multi-factor authentication is enabled on every account. We follow the principle of least privilege — each third-party service has only the permissions it needs to function.

Confidentiality

We offer a mutual NDA to every client at onboarding — before any sensitive information is shared.

Client engagements are strictly separated. We never share data, insights, or deliverables between clients. All deliverables are shared only through agreed-upon channels.

Third-party services

We believe in transparency about the tools we use and why:

  • Google Workspace — email and document collaboration
  • Notion — project management and client tracking
  • Cal.com — scheduling and booking
  • Resend — transactional email delivery
  • n8n — workflow automation (self-hosted)

Each vendor was selected with consideration for their own security posture. We regularly review whether these tools remain appropriate.

Incident response

In the unlikely event of a data breach or security incident, we follow a structured response process: identify, contain, assess impact, notify affected clients, remediate, and conduct a post-incident review.

We commit to notifying affected clients within 48 hours of any confirmed security incident.

For security concerns, contact us at security@opsprint.ai.