We run Opzyai on Opzyai.
A security vendor that hasn’t tested itself is a red flag. So we don’t ask for trust — we show it. Below is a live result of Opzyai scanning its own full dependency tree with the exact same engine our customers use (OSV dependency analysis), warts and all.
How we read this — honestly
Zero critical vulnerabilities. When this scan recently flagged criticals in our own tree — including a Next.js middleware advisory — we patched them the same day, the same way you would: bump to the safe version, re-scan, confirm. The remaining high-severity items are all in a single framework dependency and are resolved by our in-progress major-version upgrade; they’re tracked and triaged by exploitability, not ignored. We’d rather show you a real number we’re improving than a green checkmark that means nothing.
Trust that isn’t a scan result
The strongest guarantees are structural — they hold whatever a scan says.
It can’t test what you don’t own
Every scan re-verifies ownership live. There is no override path — it’s enforced in architecture, not policy.
Tenant isolation by default
Data is isolated at the database layer with row-level security; secrets are stored redacted.
Immutable audit trail
Every security-relevant action is recorded in an append-only, tamper-resistant log.
EU-hosted, GDPR-native
Primary processing in the EU, with a published privacy policy, DPA, and sub-processor list.