Security

Security at Optiq

Your code is your most valuable asset. We built Optiq with security at the core, not bolted on after the fact.

Contact Security Team

Security Principles

Core pillars that define how we protect your data.

Per-Repo Encryption Keys

Each repository is encrypted with a unique AES-256-GCM key generated on your machine. The key is sent to the server during indexing for encryption, then discarded — it is never persisted server-side. API responses always return encrypted content that only your CLI can decrypt.

Encrypted at Rest

Source code content, signatures, and docstrings are stored encrypted with your per-repo key. The server processes code transiently during indexing but never stores plaintext. Search indexes store only symbol names, file paths, and vector embeddings.

SOC 2 (In Progress)

We are actively working toward SOC 2 Type II certification. Independently audited controls for security, availability, and confidentiality are coming soon.

Access Controls

Role-based access control with admin and member roles, multi-factor authentication (TOTP), scoped API keys, and secure session management with HTTP-only cookies.

Audit Logging

Persistent audit trail for every security-relevant action: logins, role changes, API key creation, account deletions. Queryable by admins with full timestamps.

Transparency

We are upfront about exactly what we encrypt and what we don't. Search metadata (function names, file paths) remains in plaintext to enable fast retrieval. Code content is always encrypted.

Per-User Data Isolation

Each user's repositories are stored in separate databases with individual encryption keys. Access is enforced at the API level with token-based authentication.

Responsible Disclosure

Found a vulnerability? We welcome responsible disclosure at [email protected] and will respond within 24 hours.

0x4FAES256GCM********

Encryption

AES-256-GCM everywhere

Every repository is encrypted with a unique key generated on your machine. The key is sent to the server during indexing so it can encrypt your code before storage, then immediately discarded. The server never persists your key or stores plaintext code. API responses are always encrypted — decryption happens exclusively on the client.

Per-repo AES-256-GCM encryption keys
API never returns plaintext code
Keys discarded after indexing — never persisted server-side
TLS 1.3 in transit
Search indexes store only metadata and vectors

Compliance

Compliance & Certifications

We are working toward rigorous compliance standards and plan to undergo regular independent audits to ensure your data is handled with the highest level of care.

  • SOC 2 Type IIIn Progress
  • GDPR compliantIn Progress
  • CCPA compliantIn Progress
  • HIPAA eligible (Enterprise)Planned
  • ISO 27001 alignedPlanned
  • Client-side AES-256-GCM encryption
  • Per-repo encryption keys
  • TLS 1.3 encryption in transit
  • Persistent audit logging
  • Responsible disclosure program

Infrastructure Security

NetworkApplicationOperations

Network Security

  • TLS 1.3 encryption for all client-server communication
  • Rate limiting with X-RateLimit headers on all endpoints
  • CORS policy restricting cross-origin requests
  • HTTP security headers (HSTS, CSP, X-Frame-Options)
  • Request ID tracking across all log entries

Application Security

  • Per-repo client-side AES-256-GCM encryption keys
  • API responses never contain plaintext code
  • Hashed email lookups to prevent plaintext exposure
  • Scoped API keys with per-endpoint permissions
  • Persistent audit log for all security events

Operational Security

  • Automated database backups with 7-day retention
  • systemd service management with auto-restart
  • Structured JSON logging for incident response
  • Health monitoring with deep DB connectivity checks
  • Expired token and OTP cleanup on schedule

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure. Our security team will respond within 24 hours.

[email protected]