OpsWork Book a demo

Security

Enterprise security controls inside your own Azure subscription.

OpsWork runs entirely inside your Microsoft 365 tenant and Azure subscription. The security boundary is yours. The controls are yours.

Your tenant. Your data.

Customer-controlled Microsoft 365 and Azure subscription. You hold the keys.

Six agent identities

Entra ID, least-privilege, managed identities. Every action signed and logged.

No OpsWork access

We deploy, then leave. Support access only with your explicit approval, time-bound, logged.

Pillar 1

Customer-controlled architecture

  • ·Your Microsoft 365 tenant. Your Entra ID. Your data sovereignty.
  • ·Your Azure subscription. Deploys into UK South where customer policy supports it.
  • ·You control billing, keys, resource locks and regional residency.

Pillar 2

Identity and access

  • ·Each agent has an Entra ID identity. Permissions are explicit, scoped and least-privilege.
  • ·Managed identities for Azure resource access — no shared service credentials.
  • ·MFA and Conditional Access apply where the customer enables them across the tenant.

Pillar 3

Secrets and infrastructure

  • ·Azure Key Vault for all secrets. No credentials in code or environment variables.
  • ·Private endpoints supported where customer networking policy requires them.
  • ·Infrastructure is reviewable through standard Azure Resource Manager tooling.

Pillar 4

Audit and approvals

  • ·Every agent decision is signed, timestamped and written to an immutable audit log.
  • ·Outputs carry confidence scores and source references for engineer review.
  • ·Client-facing, irreversible and material actions require human approval.

Pillar 5

Support access

  • ·Designed so OpsWork Ltd has no routine access to customer content after deployment.
  • ·Support access requires explicit customer approval, is time-bound and is logged.
  • ·Access is revoked at the end of the support window.

Pillar 6

Data protection and privacy

  • ·UK GDPR and Data Protection Act 2018 compliance built in. Customer is data controller, OpsWork Ltd is data processor.
  • ·Data Processing Agreement signed before any deployment. UK GDPR Article 28 compliant.
  • ·Personal data stays in your tenant. OpsWork Ltd does not receive, copy or process customer data outside agreed support windows.
  • ·Sub-processor list provided during procurement. Customer notified of any changes 30 days in advance.

Procurement documentation

Everything your reviewer needs.

Standard documentation provided during procurement so your IT, InfoSec, legal and compliance teams can complete their review without delays.

Available on request

Architecture review pack

Components, identities, data flows

Available on request

Data Processing Agreement

UK GDPR Article 28 compliant

Available on request

Sub-processor list

Currently: Microsoft Azure, Microsoft 365

Available on request

Security questionnaire responses

Standard frameworks supported

Email [email protected] to request the procurement pack.

Certifications

Certifications and roadmap

OpsWork inherits security primitives from Microsoft 365 and Azure, both of which hold ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018, ISO 22301, and HIPAA certifications at the platform level. OpsWork Ltd's own organisational certifications are listed below — we do not claim certifications we do not hold.

We do not claim certifications we do not hold. Status of each item is reviewed each procurement cycle.