Security & backup monitoring
For an MSP, “security” cuts two ways: keeping an eye on your clients’ security and backup posture, and keeping the PSA itself locked down. Opentra covers both.
Client security & backup posture
Section titled “Client security & backup posture”Endpoint-security and backup tools — Huntress, MSPBackups and the like — feed the same alerts pipeline as RMM monitoring. A backup failure or a security detection lands as an alert against the right client, and a critical or high one becomes a ticket automatically, so a missed backup or a flagged endpoint is worked, not lost in an inbox.
Deeper security-posture surfacing (per-client scorecards, EDR status in the client record) is on the roadmap — the alert ingestion is the foundation it builds on.
Security coverage report
Section titled “Security coverage report”Not every client can afford every control — and the ones they do pay for are easy to forget between renewals. The security coverage report makes what you protect explicit, in language a client’s owner actually understands.
Coverage is declared per organisation (set on the org page — it’s a stated position, not derived from an integration, so it works even for tools Opentra doesn’t connect to yet), across a fixed catalogue of managed security services:
| Service | In plain terms |
|---|---|
| Managed detection & response (EDR) | Behaviour-based protection on every machine, watched by analysts, with the ability to isolate a compromised device within minutes. |
| Antivirus protection | Continuously updated protection that blocks known threats, monitored centrally so a detection is visible immediately. |
| Email security & spam filtering | Phishing, malicious attachments and impersonation quarantined before they reach the inbox. |
| Microsoft 365 security monitoring | Watching for the signs of a compromised account — impossible-travel sign-ins, new forwarding rules, unusual mailbox access. |
| Backup monitoring & verification | Daily checks that backups actually ran, failures chased, and restores periodically verified. |
| Firewall management | Firewall rules, firmware and remote-access settings maintained so they don’t drift into holes. |
| Security awareness training | Short, regular staff training and simulated phishing tests. |
| Password management | A business password manager — strong, unique, shared securely and revocable in one click. |
| Multi-factor authentication | A second proof of identity, so a stolen password alone can’t get in. |
This coverage is what appears as “Your security coverage” in the automated monthly service report and on the client’s portal report page — turning security from an invisible line item into something the client can see they’re getting.
How Opentra secures your data
Section titled “How Opentra secures your data”Because Opentra is self-hosted and single-tenant, your client data lives on infrastructure you control — no multi-tenant SaaS surface, no vendor sitting on your book of business. On top of that, the platform is hardened by default:
- Role-based access, enforced at the server on every action — not just hidden in the UI. Commercial modules (pipeline, quotes, contracts, invoices, reports) check permissions on each read and mutation.
- Portal security. Customer-portal links (contract, quote, change-request, project) use high-entropy random tokens that expire after 30 days, and every approval captures the client’s IP and user-agent for an audit trail.
- Safe email rendering. Inbound email HTML is displayed in a sandboxed frame, never injected into the page — so a malicious email can’t run script against a staff session.
- Rate limiting on public portal and webhook endpoints, keyed on the true client IP and failing closed.
- Signed tracking links and hardened attachment serving, so links can’t be tampered with and files can’t be served as inline active content.