Opsgenie security

Here at Opsgenie we take security very seriously. Below is a summary of our key security practices. If you have any questions, contact us at security@opsgenie.com, or participate in Opsgenie’s Community Forums

Product security features


Authentication

  • Single sign-on
  • Strong Password, Password Expiration, and Password History policies
  • Captcha protection for password authentication
  • Ability to revoke all sessions or reset all user passwords
  • Api key mandatory for api requests

Access control

  • Team based configuration, schedules, escalations, policies, integrations, alerts, and incidents
  • Team-based integrations only allow access to team-based resources
  • User & team member role support
  • Custom role support for fine-grained access of control policies
  • Integration access control policies & API key regenerate support

Logging

  • Persistent Alert, Incident, and Team Logs for regulatory compliance
  • Searchable Logs Page containing all activities

Your data fully under your control

  • Integrations and Modify policies shall restrict alert content stored on Opsgenie
  • Read & write is always available via web applications and REST API

Security for your systems

  • Static IPs available for whitelisting Opsgenie traffic to your systems, webhook & other integrations
  • Marid as a pub-sub Opsgenie event listener, requires no incoming traffic permissions

Organization security


  • Strict controls for Opsgenie employees’ access to customer data
  • Information security training and awareness program
  • Security embedded to Software Development Life Cycle
  • Centralized Endpoint protection
  • Incident management policies & procedures implemented for security breaches
  • Policies & procedures implemented based on ISO 27001 Information Security
  • Shared responsibility model within the organization
  • Each product engineering team focuses on the security of features they crafted
  • Cross functional team focuses on the application infrastructure security
  • Security & Reliability engineering team focuses on Cloud Infrastructure security
  • Chief Security & Reliability officer focuses on all aspects of security
  • Director of Security focuses on policies & compliances across company
  • All management members and directors share security responsibility on their teams

Platform security


  • Shared responsibility model with AWS as Cloud Provider
  • Encryption in transit TLS 1.2 and at rest AES-256
  • Passwords are stored with strong one-way encryption, Bcrypt with salt & pepper
  • Stripe for Credit Card Processing, Stripe certified to PCI Service Provider Level 1
  • Always available on multiple regions and availability zones
  • Dedicated multi-tenant data protection layer
  • Multiple levels of firewalls, policy layers for network and data protection
  • DDOS protection, 7/24 DDOS support by AWS
  • Excessive logging and monitoring for vulnerabilities and intrusion detection
  • Automated configuration assessment
  • Changes and deployments are automated and reviewed
  • Penetration testing & 3rd Party Pentest

We rapidly investigate all reported security issues

If you believe you’ve discovered a bug in Opsgenie’s security, please get in touch with us at security@opsgenie.com. We will respond as quickly as possible to your report. We request that you do not publicly disclose the issue until it has been addressed by Opsgenie