In a world where enterprise data is simultaneously your most valuable asset and your greatest liability, where regulators in Frankfurt, Singapore, Riyadh, and São Paulo each have something clear to say about where your information lives – the question of where your platform runs, who can touch it, and how it keeps running is not a footnote, it’s an important conversation.
At Opactiv, we didn’t build data sovereignty, security, and high availability as features. We built them as foundations.
Your Data Stays Where You Need It: Infrastructure as Code, Any Region
For customers requiring this capability, the Opactiv platform is deployed via Infrastructure as Code (IaC), which means your instance of Opactiv is not a shared SaaS tenancy sitting in a single data centre on the other side of the world. It is a purpose-built, repeatable deployment – your deployment – launched into whichever AWS region best serves your regulatory, latency, and data residency requirements.
Whether you are a financial services firm in the UAE that must comply with CBUAE data localisation rules, a healthcare organisation in the EU governed by GDPR, a government agency in Australia subject to the ASD Essential Eight, or a multinational operating across a patchwork of sovereign jurisdictions – Opactiv can be provisioned into the AWS region of your choice.
This IaC-first deployment model delivers a further benefit that is often overlooked: repeatability and auditability. Every component of the Opactiv stack – compute, networking, storage, IAM policy, security group configuration, secrets management – is expressed as versioned code. That means your architecture is inspectable, reproducible, and immune to configuration drift.
Security Can Never Be an Afterthought
Opactiv exists to give organisations a clear, unified view of their entire technology spend portfolio. From cloud infrastructure costs across AWS, Azure, and GCP, to AI and LLM API consumption across OpenAI and Anthropic, to on-premises datacenter total cost of ownership, Microsoft 365 licence operations, and multi-company governance – Opactiv ingests and processes financial and operational data that is, by nature, commercially sensitive.
This is precisely why security is not layered on top of the Opactiv platform as an afterthought. It is woven through every layer of the architecture – please join us on a walkthrough of these layers.
Layer 1: Encryption of Data at Rest
Every data store within the Opactiv platform – relational databases, object storage, log archives, and backup snapshots – is encrypted at rest using AES-256. Encryption keys are managed through AWS Key Management Service (KMS), with the option for customers requiring the highest level of control to bring their own Customer Managed Keys (CMKs). This ensures that even the infrastructure provider cannot access your financial and operational data without your keys.
Layer 2: Network Partitioning and Access Control
The Opactiv deployment architecture follows a strict network partitioning model. All application and data tier components are deployed within private subnets inside a dedicated Virtual Private Cloud (VPC). There is no direct public internet exposure to database or application back-end services.
Traffic flows through precisely defined paths:
- Public-facing load balancers terminate inbound HTTPS traffic at the network edge.
- Security Groups act as stateful virtual firewalls, enforcing least-privilege rules at the instance and service level. Only the ports and protocols explicitly required for each component to perform its function are open.
- Network Access Control Lists (NACLs) provide a second, stateless layer of subnet-level filtering, forming a defence-in-depth envelope around every tier of the stack.
- VPC Flow Logs capture all network traffic metadata, providing an audit trail of every connection attempted or established within the environment.
For customers connecting Opactiv to their cloud billing APIs, data sources, and identity providers, all integration traffic flows over encrypted channels. Credentials for cloud account access are never stored in application configuration – they are managed through dedicated secrets management infrastructure (see below).
Layer 3: Identity and Access Management
Access to the Opactiv application is governed by a comprehensive, role-based Identity and Access Management (IAM) model. The platform supports multiple distinct roles – Organisation Manager, Pool Manager, Engineer, Member – each carrying precisely scoped permissions that reflect the principle of least privilege.
At the infrastructure level, the AWS IAM roles assumed by Opactiv’s application components follow the same principle. Each service has only the permissions it requires to perform its function. There are no wildcard policies, no overly permissive roles inherited from convenience. The attack surface of a compromised application component is therefore strictly bounded.
Multi-factor authentication is enforced at the application layer, and session management follows secure token handling practices with appropriate expiry and rotation policies.
Layer 4: Secrets Protection
Database credentials, API keys, service account tokens, and integration secrets are never hardcoded in application code, configuration files, or environment variables exposed to untrusted surfaces. Within the Opactiv deployment, all secrets are stored and retrieved through a dedicated secrets manager component, which provides:
- Automatic rotation of credentials on a configurable schedule
- Fine-grained IAM-controlled access to each secret
- Version history and instant rollback capability
This means that a leaked container image, a misconfigured log, or a compromised deployment pipeline does not result in exposed credentials. The secrets simply are not there to find.
Layer 5: Intrusion Detection and Prevention
The Opactiv platform integrates with AWS-native threat detection and response capabilities that operate continuously across the entire deployment:
- AWS GuardDuty provides intelligent threat detection at the account level, analysing VPC Flow Logs, DNS logs, and CloudTrail events using machine learning to identify anomalous behaviour, reconnaissance patterns, compromised instances, and lateral movement attempts – automatically, without requiring you to manage rulesets.
- AWS Web Application Firewall (WAF) sits in front of all public-facing endpoints, providing managed protection against the OWASP Top 10, including SQL injection, cross-site scripting, and HTTP request flooding. Rate limiting rules protect against credential stuffing and abuse of API endpoints.
- AWS Shield Standard provides always-on protection against common network and transport layer DDoS attacks at no additional cost, with the option to enable AWS Shield Advanced for organisations requiring SLA-backed DDoS response and cost protection.
- CloudTrail provides a complete, tamper-evident audit log of every API call made within the AWS account – who did what, when, from where – feeding both real-time alerting and post-incident forensic investigation.
Together, these controls create a detection and response posture that is proactive rather than reactive. Threats are identified and contained, not discovered after the damage is done.
Layer 6: High Availability and Clustered Resilience
Data sovereignty is meaningless without availability. Your organisation’s FinOps function – its ability to monitor cloud spend, enforce budgets, action recommendations, and govern costs across business units and cloud providers – cannot be held hostage to a single server failing at an inconvenient moment.
The Opactiv platform is architected for high availability from the ground up:
- Database layer: The primary data store is deployed as a clustered, multi-node configuration in a Multi-AZ arrangement.
- Application layer: Application servers are deployed across multiple Availability Zones behind a load balancer. Auto Scaling Groups ensure that the desired capacity is maintained automatically in the face of instance failure or demand spikes.
- Storage layer: Object storage used for report exports, billing data archives, and audit artefacts is backed by Amazon S3, which provides eleven nines durability through automatic replication across multiple facilities within your chosen region.
- Backup and recovery: Automated daily snapshots of all database instances are retained according to a configurable retention policy. Restoration is tested, documented, and confined to your chosen AWS region, ensuring that disaster recovery processes remain within the bounds of your data sovereignty requirements.
The Opactiv Commitment: Security Is Not Negotiable
The breadth of what Opactiv manages – cloud infrastructure costs, AI API spend, datacenter total cost of ownership, SaaS licence consumption, and multi-entity financial governance – means that the platform touches sensitive commercial intelligence across an organisation’s entire technology portfolio. The obligations that creates are not light ones – we take them seriously.
For us, data sovereignty, security, access control, and availability are the conditions under which we know that we must operate within.
