Security and privacy by design

Security at every layer

From the agent on your server to the dashboard in your browser, every hop is encrypted, scoped, and verifiable. Here is exactly how.

ASVS L2

OWASP standard, self-assessed

99%

controls met or in progress

TLS 1.3

encrypted end to end

Zero

cross-tenant access

Defense in depth

A control at every hop

Follow a request end to end. Each layer is independently hardened, so a weakness in one never becomes a breach of the next.

01

Your server

  • Non-root agent
  • Whitelisted commands
  • File integrity checks
02

Encrypted link

  • TLS 1.3 in transit
  • Constant-time tokens
  • 10s auth timeout
03

Optimux platform

  • Tenant isolation
  • Private-network DBs
  • Encrypted at rest
04

Your dashboard

  • Role-based access
  • Multi-IP session guard
  • Optional 2FA

How we protect you

Built on hard guarantees

Multi-tenant isolation

Every organization lives in its own data boundary. One tenant can never read another tenant's servers, scans, or alerts - it is enforced at the query layer, not just the UI.

Org A
sealed
Org B
sealed
0

Changes without your action

Scans are read-only. Nothing on your servers changes unless you start an update - with pre and post checks.

Whitelisted commands only

A strict, predefined command set. Zero wildcards, zero open-ended execution, integrity-checked on startup.

Least privilege agent

Runs as a dedicated non-root user, no shell, no interactive login. Restarted automatically by the OS.

File integrity verification

Critical config files are SHA-256 hash-verified on every startup. Unauthorized modifications are detected and reported immediately, so your posture stays verifiably intact.

ASVS L2
OWASP ASVS 5.0 - Level 2

Built to a recognized standard

Optimux is built and self-assessed against the OWASP Application Security Verification Standard 5.0 at Level 2 - the bar for applications that handle sensitive data. Every release is checked against it, and any gap goes onto a tracked remediation roadmap.

  • TLS 1.3 in transit, databases on a private network
  • Multi-tenant isolation with no cross-tenant access by design
  • Single-use, cryptographically random session tokens
  • Security response headers and a Content Security Policy
  • Breached-password screening and time-based 2FA
  • Dependency and standard-library vulnerability gates
  • A memory-safe stack from the agent to the dashboard

An internal self-assessment, not a third-party certification.

Your data

Handled with restraint

Retention you control

Monitoring data, scan results, and alert history are retained by plan - 7 days (Free), 30 days (Business), or 90 days (Business Managed). Extended-retention add-ons are available.

Encrypted, access-controlled

Every connection uses TLS 1.3. Databases sit on a private network with no direct internet exposure, behind strong credentials and multi-tenant isolation.

Zero third-party tracking

No Google Analytics by default, no Facebook Pixel, no external trackers. We never sell, share, or monetize customer data.

GDPR compliant

We collect only what the service needs. Data export and deletion are available on request - your data belongs to you.

Responsible disclosure

Found a vulnerability? Report it privately and we will acknowledge within 3 business days, share an initial assessment within 7, and remediate critical issues within 7 days. We will not pursue good-faith researchers who follow the policy.

security@optimux.io

Your servers deserve
better than hope.

Replace your patchwork of monitoring tools with one platform that covers security, uptime, vulnerabilities, and compliance - backed by a team that has your back.

Live in under 5 minutesFree plan - no credit card neededAI + real engineering expertiseWe welcome your feedback

Built with AI and years of hands-on infrastructure experience. Help us improve - we value every piece of feedback.