Security

Security

Security is foundational to OpxKit. Here's how we protect the platform, your data, and the engineering assets in our marketplace.

Last updated: June 25, 2025

Our Security Philosophy

At OpxKit, security isn't a checkbox — it's a design principle. We're building a marketplace that engineering teams will trust with their infrastructure workflows, so we take every measure to ensure the platform is secure, resilient, and transparent about how we operate.

Data Encryption

All data transmitted between your browser and OpxKit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. We enforce HTTPS on all endpoints with HSTS headers to prevent downgrade attacks.

Sensitive credentials (API keys, secrets) are never stored in plaintext and are encrypted with envelope encryption at the application layer before persisting to the database.

Infrastructure Security

Our infrastructure is built on hardened cloud foundations:

  • Services run in isolated virtual private networks (VPCs) with strict ingress/egress rules.
  • Database access is restricted to application layer only — no public endpoints.
  • All infrastructure is defined as code (IaC) and reviewed before any change is deployed.
  • Automated vulnerability scanning runs on every deployment pipeline.
  • Secrets are managed via dedicated secrets management services, never in environment variables or source code.

Application Security

Our engineering practices embed security throughout the development lifecycle:

  • OWASP Top 10: all new features are reviewed against the OWASP Top 10 vulnerabilities.
  • Dependency scanning: automated alerts for known CVEs in dependencies (Dependabot, Snyk).
  • Static analysis: SAST tools run on every pull request.
  • Rate limiting: all public APIs and form endpoints have request rate limits to prevent abuse.
  • Input validation: strict server-side validation on all user input.

Access Control

Internal access to production systems follows the principle of least privilege. Multi-factor authentication (MFA) is mandatory for all internal team members. Access logs are retained and reviewed regularly. Any privileged access is time-bound and requires explicit approval.

Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. If you've discovered a security issue in OpxKit, please report it to us at security@opxkit.com.

Please include a detailed description of the issue, steps to reproduce, and the potential impact. We aim to respond within 72 hours and will work with you to understand and resolve the issue promptly. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.

Incident Response

In the event of a security incident affecting user data, we commit to notifying affected users within 72 hours of becoming aware of the breach, as required by applicable data protection regulations. Our incident response process includes containment, investigation, remediation, and post-incident review.

Kit & Asset Vetting

All kits and infrastructure assets submitted to the OpxKit marketplace undergo a security review process before listing. This includes static analysis, dependency checks, and review by our platform engineering team to ensure no malicious or insecure code is distributed to buyers.

Questions?

If you have any questions about this document, reach out to us.

hello@opxkit.com