Security at every layer
From the agent on your server to the dashboard in your browser, every hop is encrypted, scoped, and verifiable. Here is exactly how.
OWASP standard, self-assessed
controls met or in progress
encrypted end to end
cross-tenant access
Defense in depth
A control at every hop
Follow a request end to end. Each layer is independently hardened, so a weakness in one never becomes a breach of the next.
Your server
- Non-root agent
- Whitelisted commands
- File integrity checks
Encrypted link
- TLS 1.3 in transit
- Constant-time tokens
- 10s auth timeout
Optimux platform
- Tenant isolation
- Private-network DBs
- Encrypted at rest
Your dashboard
- Role-based access
- Multi-IP session guard
- Optional 2FA
How we protect you
Built on hard guarantees
Multi-tenant isolation
Every organization lives in its own data boundary. One tenant can never read another tenant's servers, scans, or alerts - it is enforced at the query layer, not just the UI.
Changes without your action
Scans are read-only. Nothing on your servers changes unless you start an update - with pre and post checks.
Whitelisted commands only
A strict, predefined command set. Zero wildcards, zero open-ended execution, integrity-checked on startup.
Least privilege agent
Runs as a dedicated non-root user, no shell, no interactive login. Restarted automatically by the OS.
File integrity verification
Critical config files are SHA-256 hash-verified on every startup. Unauthorized modifications are detected and reported immediately, so your posture stays verifiably intact.
Built to a recognized standard
Optimux is built and self-assessed against the OWASP Application Security Verification Standard 5.0 at Level 2 - the bar for applications that handle sensitive data. Every release is checked against it, and any gap goes onto a tracked remediation roadmap.
- TLS 1.3 in transit, databases on a private network
- Multi-tenant isolation with no cross-tenant access by design
- Single-use, cryptographically random session tokens
- Security response headers and a Content Security Policy
- Breached-password screening and time-based 2FA
- Dependency and standard-library vulnerability gates
- A memory-safe stack from the agent to the dashboard
An internal self-assessment, not a third-party certification.
Your data
Handled with restraint
Retention you control
Monitoring data, scan results, and alert history are retained by plan - 7 days (Free), 30 days (Business), or 90 days (Business Managed). Extended-retention add-ons are available.
Encrypted, access-controlled
Every connection uses TLS 1.3. Databases sit on a private network with no direct internet exposure, behind strong credentials and multi-tenant isolation.
Zero third-party tracking
No Google Analytics by default, no Facebook Pixel, no external trackers. We never sell, share, or monetize customer data.
GDPR compliant
We collect only what the service needs. Data export and deletion are available on request - your data belongs to you.
Responsible disclosure
Found a vulnerability? Report it privately and we will acknowledge within 3 business days, share an initial assessment within 7, and remediate critical issues within 7 days. We will not pursue good-faith researchers who follow the policy.
Your servers deserve
better than hope.
Replace your patchwork of monitoring tools with one platform that covers security, uptime, vulnerabilities, and compliance - backed by a team that has your back.
Built with AI and years of hands-on infrastructure experience. Help us improve - we value every piece of feedback.
