Platform Security

Security by Intent

DropOps is designed around deliberate human action at every step, creating a chain of intent that makes unauthorized actions structurally impossible.

• Operator deployment - You generate a unique API key and start the Operator yourself
• Account binding - You authenticate and explicitly link the Operator to your current chat session
• Session initiation - You start every conversation; the AI never initiates
• Change approval - You review and approve every change before execution
• Instant stop - Stop the AI mid-response at any time, or kill the Operator remotely from the UI

Complete Operator Control

You have multiple independent ways to cancel operations and stop operators.

From the DropOps UI:

• Deny proposed actions - Click deny on any proposed command and the AI will wait for your next message
• Stop AI processing - Click the stop button to halt AI generation and cancel pending operations
• Stop operator remotely - Click the stop icon in the Operator Panel to send a shutdown command over the network
• Revoke API key - Refresh the API key to instantly disconnect the operator and invalidate its credentials

From your environment:

• Kill locally - Press Ctrl+C, logout, or reboot—the operator is a standard process with no persistence
• AWS Cloud Operator - Stop the systemd service, or stop/reboot/terminate the EC2 instance from the AWS Console

No automatic timeouts—long-running operations like terraform apply complete naturally. You decide when to cancel. The operator is just a binary—run it however you prefer (foreground, background, screen/tmux, systemd). It leaves no services, daemons, or open ports when stopped.

Zero Trust Architecture Compliance

DropOps addresses the core Zero Trust principles outlined in NSA/CISA guidance:

"Never Trust, Always Verify"

• Continuous Authentication - Every session is cryptographically validated using OAuth 2.0 with PKCE for web users and unique API keys for operators
• Explicit Authorization - All state-changing operations require human approval before execution
• Least Privilege - Operators start with zero permissions; access is granted only for specific, approved intents

"Assume Breach"

• Zero Inbound Connectivity - Operators initiate only outbound connections, eliminating attack surfaces
• Micro-segmentation - Each operator operates independently with isolated sessions and permissions
• Continuous Monitoring - All activities are logged with tamper-evident audit trails

"Verify Explicitly"

• Multi-factor Validation - Session binding, system fingerprinting, and cryptographic identity verification
• Contextual Access Decisions - Risk analysis and semantic explanation of all proposed actions
• Dynamic Authorization - Permissions scoped to specific tasks and revocable in real-time

Zero Inbound Connectivity

The DropOps Operator initiates all connections outbound. No open ports, no firewall rules, no VPN.

# Traditional approach
Internet --[SSH:22]--> Firewall --[VPN]--> Your Server
         Open ports = attack surface

# DropOps approach
Your Server --[outbound only]--> DropOps
            No listening ports. Nothing to attack.

• Outbound TLS 1.3 on port 443 - Works behind NAT, corporate firewalls, and restrictive networks
• No listening ports - Invisible to network scans and reconnaissance
• Mutual TLS (mTLS) - Both client and server authenticate each connection

Human-in-the-Loop Execution

All state-changing operations require your explicit approval before execution. This is non-negotiable.

• Read-only exploration - When you deploy an Operator, you signal intent for the AI to explore that system. File reads, directory scans, and status checks happen automatically to gather information
• Mandatory approval for changes - File modifications, package installs, service changes, and any state-altering operations require your confirmation
• Complete audit trail - Every request, proposal, decision, and result is logged

Authentication

• Google OAuth 2.0 - We never see or store your password
• API keys for Operators - Unique per-operator, non-transferable between machines
• Encrypted sessions - HttpOnly cookies with automatic expiration

API Security

All DropOps API endpoints enforce strict identity controls to prevent unauthorized access.

• Session-bound identity - Your identity is always derived from your cryptographically-validated session, never from request parameters. An authenticated user cannot access another user's data.
• No client-trusted IDs - API endpoints never trust user-provided identifiers. Your user ID, organization, and permissions are extracted server-side from your validated session.
• Rate limiting - All endpoints are protected against abuse with intelligent rate limiting
• Input validation - All inputs are validated and sanitized before processing
• Replay protection - Sensitive endpoints require request timestamps within a ±5 minute window. Optional nonces provide additional protection against exact request replay attacks.

Session Security

DropOps maintains two independent session types: web sessions for dashboard access and operator sessions for system connections. Both are secured with defense-in-depth controls.

Web Session Security

• Encrypted session storage - Sessions are encrypted at rest and transmitted only over HTTPS
• HttpOnly cookies - Session tokens cannot be accessed by JavaScript, preventing XSS-based session theft
• Session binding - Sessions are bound to your browser context. Attempts to use a session from a different context are rejected
• Automatic expiration - Sessions expire after a period of inactivity, requiring re-authentication
• Secure logout - Logging out destroys the session server-side and client cookie

Operator Session Security

• Unique API keys - Each operator authenticates with its own API key, scoped to that specific operator slot
• System fingerprinting - Operators are bound to their host system. An API key cannot be used to start an operator on a different machine
• Non-transferable sessions - Operator sessions are tied to a specific system identity. Moving an operator to a new machine requires re-registration
• Instant revocation - Revoking an operator's API key immediately terminates its session and prevents reconnection
• Independent lifecycles - Operator sessions are independent of your web session. Logging out of the dashboard does not disconnect running operators
• Replay protection - All operator requests include timestamp validation. Requests outside a ±5 minute window are rejected, and optional nonces prevent exact request replay

Session Isolation

• Cross-user isolation - Sessions are cryptographically bound to your account. There is no mechanism to access another user's session or data
• Organization boundaries - Team members can only see operators and data within their organization's scope
• Multi-operator binding - Multiple operators can be bound to your session simultaneously, but each operator can only be bound to one session at a time
• AI-directed targeting - When multiple operators are bound, the AI specifies which operator receives each command based on your request

Scaling Without Approval Fatigue

Managing dozens or hundreds of systems shouldn't mean approving the same command dozens or hundreds of times. When a command needs to run on multiple operators, you see one approval dialog listing all impacted systems—eliminating approval fatigue while maintaining full security visibility.

• Single approval point - You explicitly approve the command for all listed systems at once
• Full system visibility - The approval UI displays all impacted hostnames before you approve
• Same security model - Every command still requires explicit human approval; batch approvals simply reduce redundant clicks
• Sequential execution - Commands execute one operator at a time, allowing early termination on failure
• Combined audit trail - Each operator's execution is recorded with a unique execution ID

Data Protection

• Encrypted in transit - All connections use TLS 1.3
• Encrypted at rest - Sensitive data encrypted with AES-256
• Stripe for payments - Card data never touches our servers
• US data residency - All data stored in United States regions

Data Sovereignty (Local-First Audit Architecture)

DropOps implements a Local-First Audit Architecture (LFAA) where the Operator is the System of Record for all session history, execution logs, and file mutations. The cloud acts as a stateless relay - no sensitive operational data persists in the cloud database.

LFAA Components

• Audit Vault (SQLite) - Located at ./.dropops/data/dropops.db (relative to CWD where operator is launched). Stores sessions, events (USER_MSG, AI_MSG, CMD_EXEC, FILE_MUTATION), command stdout/stderr with smart truncation for large outputs (>100KB)
• Ledger Mirror (Git) - Located at ./.dropops/data/ledger/ (relative to CWD where operator is launched). Version control for all files modified by the operator. Each mutation creates a git commit with hash references. Files can be restored to any previous commit state

How It Works

• Command Execution - AI executes command → Operator stores output in Audit Vault → Cloud receives only metadata (execution ID, exit code, size)
• History Retrieval - AI calls fetch_session_history → Request sent to operator → Operator queries SQLite → Returns events to AI
• File Versioning - File mutation occurs → Operator mirrors to Ledger → Git commit created → Hash stored in Audit Vault

Compliance Benefits

• Data Residency - Sensitive command output never persists in cloud storage. Your data stays on your systems
• Single Source of Truth - Operator's local database is authoritative for all operational data
• Regulatory Compliance - Meets data locality requirements for GDPR, FedRAMP, and SOC 2
• Complete Audit Trail - Queryable history of all sessions, commands, and file changes maintained locally

Live Transmission Monitor

The Data Sovereignty Dashboard includes a Live Transmission Monitor that provides real-time visibility into exactly what data leaves your operator versus what stays local.

• Per-operation breakdown - See local bytes vs transmitted bytes for each command
• Data reduction metrics - Cumulative statistics showing percentage of data kept local
• Hash verification - Content hashes displayed for integrity verification
• Real-time streaming - Watch data flow as commands execute via SSE

AI Safety Controls

AI agents execute investigation and response workflows within your predefined guardrails. DropOps enforces these guardrails at multiple levels:

• Least privilege by default - The Operator runs as the user who launched it, with no ability to elevate its own permissions
• Command filtering - Configurable blacklist and whitelist modes available for blocking dangerous operations (e.g., sudo, rm -rf)
• System file protection - Critical system paths are protected from modification
• Output sanitization - Command output is sanitized before AI processing
• Automatic limits - Built-in safeguards prevent runaway operations

Infrastructure Security

• HTTPS everywhere - TLS 1.3 with HSTS enforcement
• XSS and CSRF protection - Industry-standard defenses enabled
• Rate limiting - Protection against abuse and denial of service
• Secure secrets storage - Credentials stored in encrypted vaults, never in code
• Internal access controls - All personnel require two-factor authentication

Incident Response

We take security incidents seriously and respond promptly.

• Breach notification - Affected customers notified promptly, within 72 hours for GDPR-covered data
• Communication - Direct email notification to affected accounts
• Post-incident review - Root cause analysis and remediation for all significant incidents

Business Continuity

DropOps is hosted on Google Cloud Platform with built-in redundancy and backup capabilities.

Third-Party Risk Management

We maintain a limited set of vetted subprocessors, each with documented security assessments.

• Dependency scanning - Automated vulnerability scanning of third-party libraries
• Limited subprocessors - We use established, well-audited vendors for core infrastructure

Logging & Monitoring

• Comprehensive audit logging - All actions, approvals, and commands are logged with timestamps and user context
• Chat history retention - Complete conversation history available in your account
• Real-time monitoring - Automated alerting on security anomalies
• Audit log export - Available for Enterprise tier customers

Vulnerability Management

• Continuous scanning - Automated vulnerability scanning on every deployment
• Dependency monitoring - Third-party libraries monitored for security advisories
• Critical CVE response - Target: patches deployed within 24 hours for critical vulnerabilities
• High CVE response - Target: patches deployed within 7 days for high-severity vulnerabilities

Network Security Details

• Operator connections - Outbound to operator.dropops.ai:443 only (Redis over TLS)
• Certificate pinning - mTLS certificates are pinned to prevent man-in-the-middle attacks
• Connection heartbeat - 30-second keepalive with automatic reconnection on failure
• No command timeout - Long-running commands complete naturally; you decide when to cancel
• Operator updates - New versions downloaded from authenticated endpoints

Internal Access Controls

• Principle of least privilege - Access granted only for specific job functions
• MFA required - All production access requires multi-factor authentication
• Limited production access - Only essential personnel have access to production systems

Data Classification & Handling

We collect only what is necessary to provide the service.

• Sensitive data redaction - Passwords, API keys, and secrets are automatically detected and redacted from logs
• Data minimization - We do not store file contents, only metadata and diffs when approved
• Customer data isolation - Strict multi-tenant separation in Firestore

Operator Security Hardening

Both the Cloud Operator and DropOps Operator binary are built with security as a priority.

• Zero inbound connectivity - All operators initiate connections outbound only. Nothing to attack.
• Hardened binaries - Operator binaries are obfuscated and compressed to resist reverse engineering
• Cloud Operator - Pre-configured EC2 AMI with security tools (fail2ban, auditd, Restic) and Zero Standing Privileges—AI requests access only when needed
• DropOps Operator Binary - Lightweight Go agent with identical security model. A flexible building block for any environment.
• Memory safety - Operator built in Go, a memory-safe language

AWS Cloud Operator: Two-Role Architecture

The Cloud Operator implements TRUE least-privilege through separation of concerns. Two distinct IAM roles ensure that the role executing actions cannot grant itself permissions, and the role granting permissions cannot access resources.

• Operator Role - Attached to EC2, starts with ZERO permissions, executes granted actions, CANNOT modify IAM (blocked by permission boundary)
• Escalation Role - Can ONLY attach pre-defined intent policies to Operator Role, has NO resource access (no ec2, s3, rds, etc.)
• Intent-based IAM - Permissions are granted through conversation. You say "Yes" or "No" to plain-English questions
• Just-in-Time Access - AI assumes Escalation Role only when granting approved permissions, then returns to Operator Role
• Permission boundary enforcement - Hard security ceiling on Operator Role blocks ALL IAM write operations
• No stored AWS credentials - Uses EC2 instance metadata (IMDS) for AWS credentials—no AWS access keys stored on disk
• IMDSv2 enforced - Enhanced instance metadata security prevents SSRF attacks

# DropOps Cloud Operator Two-Role Architecture

OPERATOR ROLE (attached to EC2 instance)
  CAN:  Execute granted intent permissions
        Self-discovery (sts:GetCallerIdentity, iam:Get*)
        Assume Escalation Role for policy grants
  CANNOT: iam:PutRolePolicy, AttachRolePolicy (ANY role)
          iam:CreateRole, PassRole, UpdateAssumeRolePolicy
          (Blocked by permission boundary - hard ceiling)

ESCALATION ROLE (assumed temporarily)
  CAN:  iam:AttachRolePolicy (Operator Role ONLY)
        iam:DetachRolePolicy (Operator Role ONLY)
        (Only Intent-* managed policies)
  CANNOT: ec2:*, s3:*, rds:*, lambda:*, ANY resource access
          (No permissions for any AWS services)

Intent-based escalation flow:
  1. AI: "Should I see EC2 instances?" → You: "Yes"
  2. AI assumes Escalation Role (sts:AssumeRole)
  3. Escalation Role attaches Intent-ec2_discovery to Operator Role
  4. AI returns to Operator Role, executes ec2:Describe*

Auto-Approved Self-Discovery

Cloud Operators can check their own IAM identity and permissions without requiring your approval. These read-only commands (such as aws sts get-caller-identity and aws iam get-role-policy) help the AI understand what it can do before asking you for additional access.

• Self-discovery only - Commands can only query the operator's own IAM role
• No state changes - These commands are strictly read-only with no side effects
• All other commands require approval - Any action beyond self-discovery needs your explicit consent

Build & Release Pipeline

Our release process includes security checks:

• CI/CD pipeline - Automated builds with GitHub Actions
• Dependency pinning - Dependencies are version-locked
• Hardened binaries - Operator binaries are obfuscated and compressed

Security Testing

We perform internal security testing on releases.

• Network verification - Verify outbound-only connections to expected endpoints
• Automated testing - CI/CD pipeline includes security checks
• Code review - Security-focused review for sensitive changes

Compliance & Regulatory Alignment

DropOps implements security controls aligned with industry frameworks and regulatory requirements. Formal certifications are planned as the platform scales.

• Data Processing Agreement - DPA available upon request
• Business Associate Agreement - BAA available for healthcare organizations
• Security questionnaire - We respond to CAIQ, SIG, and custom security questionnaires

Healthcare & Government Considerations

Healthcare Data Protection (HIPAA)

• PHI Residency - Protected Health Information remains on-premises through Local-First Audit Architecture
• Business Associate Agreement - BAA support available for healthcare organizations
• Audit Requirements - Tamper-evident audit trails meeting HIPAA logging requirements
• Minimum Necessary - Access controls enforcing minimum necessary use principle
• Clinical Isolation - Operator isolation prevents cross-contamination between clinical systems

Government Security Requirements

• FedRAMP Alignment - Data residency in US regions with FIPS 140-2 compliant cryptography
• Zero Trust Compliance - Full alignment with NSA/CISA Zero Trust guidelines
• Air-Gapped Support - Architecture supports air-gapped deployment scenarios
• Continuous Monitoring - Real-time visibility into all AI agent activities
• Supply Chain Security - No third-party dependencies in the critical execution path

Enterprise Security Information

For enterprise customers evaluating DropOps, we can provide additional security documentation:

• Architecture documentation - Detailed technical overview of our security architecture
• Software Bill of Materials (SBOM) - Dependency inventory upon request
• Security questionnaire responses - We complete CAIQ, SIG, and custom questionnaires
• Data Processing Agreement - Standard DPA for GDPR requirements

Architecture Boundaries

Transparency means being clear about boundaries. DropOps enforces these architectural constraints:

• No persistent file storage - We do not store full file contents; only metadata and diffs when you approve operations
• No remote shell access - The Operator does not include built-in SSH, remote desktop, or backdoor capabilities
• No AI-initiated actions - The AI never starts conversations or executes commands without your explicit request
• No credential storage - We never store your passwords (Google OAuth only) or payment details (Stripe handles all payment data)
• No cross-customer data access - Strict tenant isolation means your data is never accessible to other customers or used for training

Your Data Rights

• Data access - View all data we store about you (available upon request)
• Data deletion - Delete your account and all associated data at any time (available upon request)
• Data portability - Export your data in standard formats (available upon request)

Responsible Disclosure

• Safe harbor - Good-faith security researchers will not face legal action
• Recognition - Researchers credited in our security acknowledgments (with permission)