Join the Waitlist for our latest release: Campaign Planner >

Your Data Secured.

Overview

At Opal, we are committed to fostering a secure platform for all, prioritizing security, and continuously innovating to address evolving threats while serving as a trusted steward of the digital realm.

Opal is purpose-built to architect, approve, and deliver your communications mix, processing your marketing and communications content before it is ready for publication. We safeguard your data through modern security practices embedded in our development cycle, third-party audits to verify our work, and compliance with international data privacy and protection requirements.

We closely collaborate with leaders in various industries who trust us with their data and invite you to explore our Security page to learn about the processes we deploy to ensure your content remains protected until you are ready to share it to the world.

Compliance

Certifications & Frameworks

Opal’s Security Management System meets compliance to the ISO 27001:2013 standard and has been reviewed against the SOC 2® assessment including the Trust Services Criteria.

Opal is delighted to share full reports with customers and prospects upon request under a Non-Disclosure Agreement (NDA). To request executive summaries, please contact infosec@workwithopal.com.

Security Technology

Encryption

✅ Encryption-at-rest

✅ Encryption-in-transit

Application Security

✅ Change Management

✅ White Box Testing

✅ OWASP Top 10 Training

Network Security

✅ IDS/IPS

✅ Vulnerability Scanning

✅ Third-Party Testing

Access Management

✅ Role-Based Access Control

✅ 2FA Enforcement

✅ Monitoring & Logging

Endpoint Security

✅ Anti-Virus/Malware Scanning

✅ Full Disk Encryption

✅ Patch Management

HR Security

✅ Personnel Screening

✅ Confidentiality Agreements

✅ Security Training

Security in the Cloud

Opal is hosted on a major Cloud Service Provider (CSP). Our CSP has a demonstrated track record of exceptional uptime, resilience, and overall performance levels in addition to SOC 2 and ISO 27001 compliance, stringent backup processes, and environmental control systems.

We host data in multi-regions for availability and legal purposes.

Encryption

We encrypt our customers’ data by default—in transit and at rest—and regularly test our encryption algorithms to make sure they’re strong. Databases and database backups are fully encrypted at rest. You can perform an independent test of our encryption quality using the Qualys SSL Test.

Data in transit is encrypted using TLS 1.2+, and data at rest is encrypted using AES-256, with encryption keys stored in Hardware Security Modules (HSMs). We hash passwords with bcrypt before storing them in our encrypted database.

Login Security

Opal’s login process includes support for custom password complexity requirements, secure reset mechanisms, enforcement of 2FA, and defined rotation schedules.

We also support SAML-based integrations into your Single Sign On (SSO) system, if you’d prefer to keep control over the authentication and provisioning process.

Development Methodology

Fundamental to our security posture is securing our Platform, codebase, dependencies, and ecosystem of tools that allow us to produce and maintain the Opal Platform. While this isn’t a comprehensive list, here are a few of the things we do to secure the development and release process.

  • Opal follows an Agile development methodology to ensure that changes are released in small chunks; this helps our peer reviewers and QA team catch bugs before they’re released and allows us to roll back changes without significant disruption in the event that they introduce unforeseen issues
  • Prior to release, changes undergo peer review, automated and manual testing, a variety of automated code quality checks, and static code analysis to reduce the chance of avoidable security mistakes making their way into production
  • Opal maintains a variety of tooling to detect out-of-date software and dependencies in our environments that pose security risks; and we commit to rapid patching of critical issues
  • The Opal Platform is generally provided as a multi-tenant cloud Platform; typically, security improvements that we make for any one customer are shared across our global customer base

Security Technology

We use a wide range of Security tools and methodologies to protect our Customers’ data, including the following:

  • Network-based intrusion detection/prevention systems (IDS/IPS)
  • Network and host-based anti-malware countermeasures
  • Full disk encryption on Opal workstations
  • System Integrity Protection (SIP) to protect operating systems against tampering
  • Weekly vulnerability scanning and annual penetration testing using third party technologies and providers
  • Rapid patching of critical security issues
  • Internal security training programs, including social engineering/phishing training, BC/DR tabletop exercises, and OWASP training for all engineers
  • Extensive platform logging, with active review and escalation procedures for potential security issues

Business Continuity & Disaster Recovery

Resilience

We provide the Opal Platform as a load-balanced cloud service. If a server malfunctions, we will typically replace it on-the-fly with a healthy replacement. In the event of widespread disruption, the Opal database is replaced on the fly with backup infrastructure provisioned in an alternate availability zone within our cloud provider.

We also take backups incrementally throughout the day, with full backups taken every day. For the purposes of planning and testing, we set a Recovery Point Objective (RPO) of 1 hour, and a Recovery Time Objective (RTO) of 12 hours, meaning that you should expect us to recover from anticipated disruptions quickly and with minimal potential data loss.

While specific uptime requirements may be negotiated, we offer a standard uptime guarantee of 99.9% to enterprise customers, and generally exceed 99.99% uptime in practice.

Security Reporting

In the event that we experience a data breach affecting EU citizen data, we have committed to notifying European authorities within 72 hours of the discovery of the incident.

If you would like to report a potential security incident to Opal, please email infosec@workwithopal.com and cc legal@workwithopal.com. To ensure the fastest possible investigation of your report, please include the following information:

  • High level description of issue
  • Detailed steps to reproduce issue
  • Notes regarding your operating systems, web browser, and technology stack in use (if relevant)
  • Screenshots, videos, gifs, or log output to support your report
  • Your preferred contact method, in case follow-up discussion is required

Compliance & Legal

Data Centers

We host Opal Platform data on Azure, which maintains best-in-class physical and electronic security countermeasures. You can find more information about Azure’s compliance programs available here: as a PDF Download.

In short, Azure maintains SOC 2 and ISO 27001 compliance, stringent backup, and environmental control systems, and has a demonstrated track record of exceptional uptime, resilience, and overall performance levels.

We typically store data in the US-West regions, with Frankfurt hosting available for EU-based Customers.

Data ownership

Your data is yours, and you maintain copyright and intellectual property rights already held in any posted content. Opal will never review, share, distribute or reference any user content except as provided in our Terms of Service and Privacy Policy.

If you choose to end your relationship with Opal, we are happy to provide you with a copy of your Platform data and/or securely erase your data upon request. Our primary hosting provider complies with DoD standards for secure erasure and secure decommissioning of storage media.

Privacy by design

We try to collect the minimum amount of information needed to provide Opal Platform services and minimize the number of internal staff that interact with it. If you need to further restrict the visibility of marketing content, we offer private stories, moments, and content that provide fine-grained controls over who is allowed to access specific, highly sensitive marketing content.

In general, we directly process:

  • Marketing collateral, including text, images, audio and video files
  • Internal discussions surrounding marketing content and anticipated release timing
  • Limited personal information regarding system users, including name, email address, phone number (if SMS alerts or mobile apps are used), IP address and profile pictures (if elected)

We never process PCI information, information about your customers, financial information, or account numbers as part of Opal Platform services. Opal Platform users are typically our customers’ employees, contractors, or agency partners; never members of the general public.

Questions

If you have questions about our security practices that aren’t covered above or have suggestions for how we can improve this page, please contact infosec@workwithopal.com. If you’d like to speak to our sales team, you can complete our demo request form.

Version 2.1, last updated 03/09/22