Discover Gem - the AI co-pilot that can answer your most pressing questions & do real marketing work >

Your Data Secured.

Overview

At Opal, we are committed to maintaining a secure and trusted platform by prioritizing security, continuously improving our safeguards, and adapting to evolving threats.

Opal is purpose-built to help teams plan, approve, and deliver their communications mix by managing marketing and communications content before publication. We protect customer data through modern security practices and alignment with international data privacy and protection requirements.

We work closely with leaders across industries who trust Opal with their data. We invite you to explore our Security page to learn more about the processes and safeguards we use to help protect your content until it is ready to share with the world.Product TourOpal PricingGet a Demo

Compliance

Certifications & Frameworks

Opal’s Security Management System meets compliance to the ISO 27001:2022 and ISO 27701:2019 standards and has been reviewed against the SOC 2® assessment including the Trust Services Criteria.

Opal is delighted to share reports with customers and prospects upon request under a Non-Disclosure Agreement (NDA). To request reports, certificates, or security policies, please contact infosec@workwithopal.com.

Security at a Glance

Encryption

✅ AES-256 Encryption-at-rest

✅ TLS 1.2+ Encryption-in-transit 

Application Security

✅ Change Management

✅ Web Application Firewall

✅ OWASP Top 10 Training 

Network Security

✅ Networking Monitoring Tools

✅ Vulnerability Scanning

✅ Third-Party Pen Testing

Access Management

✅ Role-Based Access Control

✅ 2FA Enforcement

✅ Monitoring & Logging

Endpoint Security

✅ Anti-Virus/Malware Scanning

✅ Full Disk Encryption

✅ Endpoint Detection/Prevention

HR Security

✅ Personnel Screening

✅ Confidentiality Agreements

✅ Security and Privacy Training

Security in the Cloud

Opal is hosted on a major Cloud Service Provider (CSP). Our CSP has a demonstrated track record of exceptional uptime, resilience, and overall performance levels in addition to SOC 2 and ISO 27001 compliance, stringent backup processes, and environmental control systems.

We host data in multi-regions for availability and legal purposes.

The Opal Platform

The Opal Platform is delivered as a multi-tenant cloud platform by default, allowing security enhancements and operational improvements to benefit our global customer base. For customers with specific isolation requirements, Opal also offers a single-tenant deployment option designed to provide dedicated data isolation.

Encryption

We encrypt our customers’ data by default—in transit and at rest—and regularly test our encryption algorithms to make sure they’re strong. Databases and database backups are fully encrypted at rest. You can perform an independent test of our encryption quality using the Qualys SSL Test.

Data in transit is encrypted using TLS 1.2+, and data at rest is encrypted using AES-256, with encryption keys stored in Hardware Security Modules (HSMs). We hash passwords with bcrypt before storing them in our encrypted database.

Login Security

Opal’s login process includes support for custom password complexity requirements, secure reset mechanisms, session timeout, enforcement of 2FA, and defined rotation schedules.

We also support SAML-based integrations into your Single Sign On (SSO) system, if you’d prefer to keep control over the authentication and provisioning process.

Development Methodology

Fundamental to our security posture is securing our Platform, codebase, dependencies, and ecosystem of tools that allow us to produce and maintain the Opal Platform. Opal implements the following processes to ensure security in its development and release process.

  • Opal follows an Agile development methodology to enable changes to be developed, reviewed, tested, and released in smaller increments. This approach helps peer reviewers and QA teams identify potential issues before release and supports more efficient rollback of changes if unforeseen issues arise to minimize potential disruption to customers.
  • Prior to release, changes undergo peer review, automated and manual testing, a variety of automated code quality checks, and static code analysis to reduce the chance of avoidable security mistakes making their way into production
  • Opal maintains a variety of tooling to detect out-of-date software and dependencies in our environments that pose security risks
  • All Opal developers follow a secure coding checklist based on OWASP best practices

Security Measures

Opal uses a range of security tools, controls, and methodologies designed to effectively protect Customer data, including the measures described below:

  • Incident Response, Disaster Recovery and Business Continuity Plans and Annual Tabletop Testing
  • Incremental and Full Scheduled Backups
  • Automated Capacity Management
  • Least Privilege Access and Continuous Access Reviews
  • Third-Party Software, Dependency and Vendor Management Programs
  • Various Network Monitoring and Response Tools
  • Endpoint Protection including EDR, Anti-virus/malware, Full-Disk Encryption and Continuous Patch Management
  • Robust Vulnerability and Threat Intelligence Management Programs
  • Annual Third-Party Penetration Testing
  • Annual Company-Wide Security and Privacy Awareness Training
  • Extensive Logging and Monitoring

Business Continuity & Disaster Recovery

Resilience

The Opal Platform is delivered as a load-balanced cloud service designed for high availability and resilience. Opal maintains dedicated personnel responsible for continuously monitoring platform uptime and availability.

In the event of a widespread service disruption, Opal is designed to fail over to backup infrastructure provisioned in an alternate availability zone within our cloud provider and maintains cross-region restore capabilities to support recovery from regional disruptions.

For planning and testing purposes, Opal maintains a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 12 hours. This means the Platform is designed to recover from anticipated disruptions quickly and with minimal potential data loss.

While specific uptime commitments may be negotiated by contract, Opal offers a standard uptime commitment of 99.9% for enterprise customers and has historically exceeded 99.99% uptime in practice.

Security Reporting

In the event that we experience a data breach affecting EU citizen data, we are committed to notifying European authorities within 72 hours of the discovery of such an incident.

If you would need to report a potential security incident to Opal, please email infosec@workwithopal.com and cc legal@workwithopal.com. To ensure the fastest possible investigation of your report, please include the following information:

  • High level description of issue
  • Detailed steps to reproduce issue
  • Notes regarding your operating systems, web browser, and technology stack in use (if relevant)
  • Screenshots, videos, gifs, or log output to support your report
  • Your preferred contact method, in case follow-up discussion is required

Compliance & Legal

Data Centers

Opal’s Platform is hosted on the cloud by Azure, which maintains best-in-class physical and electronic security countermeasures. You can find more information about Azure’s compliance programs available here.

Azure maintains numerous industry security and privacy certifications and controls, including SOC 2 type II and ISO 27001 compliance, environmental control systems, strong physical controls, and has a demonstrated track record of exceptional uptime, resilience, and overall performance levels.

Opal currently maintains infrastructure in the US-West regions, with Frankfurt hosting available for EU-based Customers.

Data ownership

Your data is yours, and you maintain copyright and intellectual property rights already held in any posted content. Opal will never review, share, sell, distribute or reference any user content except as provided in our Terms of Service and Privacy Policy.

If you choose to end your relationship with Opal, we are happy to provide you with a copy of your Platform data and/or securely erase your data upon request. Our primary hosting provider complies with DoD standards for secure erasure and secure decommissioning of storage media.

For privacy related inquires, please visit Opal’s Privacy Policy or contact privacy@workwithopal.com.

Privacy by design

Opal seeks to collect only the information necessary to provide the Platform services and to limit internal access to personnel with a legitimate need to know. Opal also enables customers to granularly control the visibility of marketing content within the Platform through role-based access controls. Customers can designate stories, moments, and other content as private where appropriate, helping ensure that each resource is accessible only to authorized users.

Additionally, Opal generally only processes the following, limited information:

  • Marketing collateral, including text, images, audio and video files
  • Internal discussions surrounding marketing content and anticipated release timing
  • Minimized personal information to establish user accounts for system users, including name, email address, IP address and optionally phone number, job title or profile pictures.

The Opal Platform is not intended to process sensitive personal information, payment card information, financial information, account numbers, information about customers’ end users, or other regulated data as part of the Platform services. Opal Platform users are typically our customers’ employees, contractors, or agency partners, and are not members of the general public.

Questions

If you have questions about our security practices that aren’t covered above or have suggestions for how we can improve this page, please contact infosec@workwithopal.com. If you’d like to speak to our sales team, you can complete our demo request form.

Version 2.3, last updated 06/25/2026