Security

Plain-language summary. This is our current security posture. Enterprise customers can request additional documentation before signing.

Infrastructure

Oprag runs on AWS: S3, Bedrock, Cognito, CloudFront, DynamoDB, and Lambda. All environments are operated by Oprag — not deployed into customer AWS accounts on Starter or Pro.

Tenant isolation

Every document and query is scoped to a company ID and project ID. Cross-tenant retrieval is not permitted by architecture.

Encryption

Documents encrypted at rest in S3. TLS in transit. API keys via the X-Oprag-Key header or Authorization: Bearer — treat keys like passwords.

Authentication

Cognito for dashboard users. API keys for programmatic access. Keys are revocable and rotatable from the dashboard.

Model processing

Queries are processed through AWS Bedrock within Oprag's environment. We do not route your data to external model APIs.

What we don't do

• No training on your documents for shared models
• No BYOC / customer AWS deployment on Starter or Pro
• No selling or sharing document content with third parties

Reporting

Security concerns → hello@oprag.ai. See also our Privacy page.