Security

ConvOps connects to your AWS account through a cross-account IAM role that you create via a provided CloudFormation template. The role is granted read-only policies only.

Specifically, ConvOps requests: CloudWatch:GetMetricData, CloudWatch:DescribeAlarms, CloudWatch:GetMetricStatistics; Logs:FilterLogEvents, Logs:GetLogEvents, Logs:DescribeLogGroups, Logs:DescribeLogStreams; CloudTrail:LookupEvents; ECS:DescribeServices, ECS:DescribeTasks, ECS:ListTasks; RDS:DescribeDBInstances; EC2:DescribeInstances.

ConvOps never requests any write permission (Create*, Update*, Delete*, Put*, Start*, Stop*). The IAM role has an explicit deny on all write actions as an additional safeguard.

To revoke ConvOps access instantly at any time: delete the IAM role from your AWS console. This requires no action on the ConvOps side.

ConvOps does not store your AWS credentials. Authentication happens via STS AssumeRole — ConvOps holds only the Role ARN (which is not a credential), and AWS issues short-lived session tokens on each API call.

Session tokens are held in memory for the duration of a single investigation and are never written to disk or any database.

WhatsApp delivery uses the WhatsApp Business API. ConvOps stores only your WhatsApp phone number and the ConvOps-generated webhook token — not your WhatsApp credentials.

Raw metric datapoints collected during diagnosis are retained for 30 days and then deleted automatically via DynamoDB TTL.

Security findings (GuardDuty, Security Hub, Inspector) are retained for 7 days. Infrastructure events are retained for 7 days.

Incident summaries (the AI-generated diagnosis text) are retained for 90 days and are visible only to authenticated members of your workspace.

Account metadata (AWS account IDs, IAM role ARNs, WhatsApp phone numbers) is retained for the lifetime of your ConvOps account and is deleted within 7 days of account closure.

ConvOps does not sell, license, or share your data with third parties. Aggregate and anonymised data (e.g. median resolution times across all users) may be used internally to improve the product.

All data is encrypted at rest using AES-256. Databases and object storage use AWS KMS-managed keys.

All data in transit is encrypted using TLS 1.3. ConvOps enforces HSTS across all endpoints.

Backups are encrypted with the same key policy as the primary data store.

ConvOps runs on AWS in eu-central-1 (Frankfurt). Enterprise customers may request data residency in a specific region.

The ConvOps API and worker infrastructure is isolated at the network level per customer workspace using separate VPC segments.

Automated vulnerability scanning runs on every deployment. Critical and high findings block the deployment pipeline.

ConvOps is SOC 2 Type II audit-ready. The audit engagement is in progress; a report will be available to Pro and Enterprise customers upon completion.

ConvOps is GDPR-compliant. A Data Processing Addendum (DPA) is available on request.

Penetration testing is conducted annually by an independent third party. The latest executive summary is available to Enterprise customers under NDA.

If ConvOps becomes aware of a security incident affecting customer data, affected customers will be notified within 72 hours via the email address on their account.

To report a security vulnerability, email security@convops.io. We follow a 90-day responsible disclosure policy.