Platform · Secure

Secure services, by default, from day one.

Encryption at rest and in transit, role-based access for cloud resources, private networking — all turned on from day one. Hard to misconfigure into something insecure.

Sign up for freeSee a demo
Networking

Private subnets, by default.

Every service lives inside your VPC's private subnets. Inbound traffic comes through managed load balancers; outbound traffic flows via NAT gateways. Nothing is exposed to the public internet unless you ask for it.

  • Services deployed in private subnets
  • Inbound traffic via managed load balancers
  • Outbound traffic via NAT gateways
your-vpc · network layoutprivate subnets
InboundPublic
Application Load Balancer
TLS termination · WAF-ready
Private subnet · 10.0.10.0/24
  • orders-apiprivate
  • auth-svcprivate
  • billing-workerprivate
  • searchprivate
OutboundInternet
NAT Gateway
per-AZ · static egress IPs
Encryption

Encryption, turned on by default.

At rest, in transit and inside your secret store — encryption is wired in from the first service you deploy.

  • Encryption at rest

    Every persistent volume LocalOps provisions is encrypted with your cloud's KMS by default. No knob to turn on.

  • Auto-renewing SSL certificates

    Free TLS for every public endpoint, renewed automatically. No cron jobs, no manual renewal.

  • Database connections over SSL

    RDS, Cloud SQL and Azure Database connections are TLS-secured by default — services connect via SSL, not plaintext.

  • Encrypted secrets

    Per-service secret store with versioning and audit, encrypted at rest in your cloud's KMS / Secret Manager.

orders-api · iam rolescoped role
Old way · cloud keys
  • AWS_ACCESS_KEY_IDlong-lived
  • AWS_SECRET_ACCESS_KEYlong-lived
  • Keys leak. Rotated rarely. Hard to scope.
LocalOps way · IAM role
  • s3:GetObject orders-attachments/*
  • sqs:SendMessage orders.fifo
  • kms:Decrypt alias/orders-api
  • No keys handed to the service. Least privilege by construction.
RBAC

Role-based access, not cloud keys.

S3, SNS, SQS, OpenSearch, RDS — all accessed via scoped IAM roles, never long-lived keys. Nothing for your service to leak.

  • One IAM role per service
  • Scoped to exactly the resources it needs
  • No long-lived access keys in env vars
How LocalOps accesses your cloud

We access your cloud, via OIDC, never via static keys.

LocalOps assumes a least-privilege role in your cloud, brokered via OIDC with short-term tokens — no service-account keys to store, rotate or leak.

  • OIDC trust

    Your cloud trusts LocalOps's OIDC identity provider — no shared secret.

  • Short-term tokens

    Every action uses a token issued for that action — minutes-long expiry, automatically rotated.

  • Least-privilege role

    The role LocalOps assumes is scoped to exactly what's needed to provision and operate your services.

See all security controls in our docs

Deploy a secure service, from day one.

Free Starter plan, no credit card. Private networking, encryption, scoped IAM and OIDC are wired up the moment your environment comes up.

Sign up for freeSee a demo