How we make compliance seamless in everything we build.
Privacy by design and by default
This principle is our product development ‘north star’ that guides everything we build. Here are some of the questions we always ask ourselves in every product development decision we make:
- Sensitive information – Does the code expose any sensitive information?
- Establish the context – Does the purpose of the code meet the acceptable risk parameters?
- Making intrusion difficult – Are all aspects of the code and system difficult to compromise. Does the new code negatively impact pre-existing code?
- Making disruption difficult – Is the system and code resilient and not susceptible to denial of service attacks and usage spikes?
- Making intrusion detection easier – Is the code and system designed to allow suspicious activity to be noticed easily, e.g. are adequate logging and monitoring in place?
- Reducing the impact of intrusion – Is the system developed to minimize the impact of an intrusion. Is functionality structured to prevent unnecessary connections to other parts of the system?
- Protection against common vulnerabilities – Are systems developed safely against most vulnerabilities e.g. OWASP Top 10?
Your data is our responsibility
Oneflow has a comprehensive Business Continuity and Disaster Recovery Policy in place which reviewed annually or whenever significant changes are made.
Oneflow is built with redundancy at every layer of its infrastructure. The platform, databases, storage and auxiliary services are hosted in multiple availability zones in Ireland, EU to allow for sporadic failures without any loss of availability, functionality or customer data. System logs and authentication logs are stored for 90 days (including 30 days off-site backup). Backups are also taken at regular intervals and stored in data centers in Sweden.
Oneflow is a secure platform with capabilities for searchability, follow-up and control. Personal data is safe in one place, rather than spread across email, servers and hard drives. Customer data (including personal data) processed and stored in Oneflow is confidential and only accessed by the customer.
Data is encrypted in transit and at rest; TLS 1.2 is used to encrypt data in transit, from the public internet to our CDN edge points, all the way into our internal network before being processed. Databases, servers and file storage also all encrypt data before storing it at rest, utilizing state-of-the-art encryption with the AES 256 algorithm.
Oneflow is aligned to the ISO 27001 standard, the NIST framework and has a range of internal policies, procedures and guidelines. These form our Information Security Management System and govern our approach to security and privacy. A selection of our policies is shown below. Please contact us if you wish to review any of our policies in detail.
• Information Security Policy
• Acceptable Use Policy
• Change Management Policy
• Decommissioning and Destruction Policy
• Information Security Risk Management Policy
• Information Security Incident Management Procedure
• Business Continuity and Disaster Recovery Policy
• Supplier Security Policy
• Secure Development Policy
• Workplace Policy
Please contact us if you wish to review any of our policies in detail.
Shared responsiblity model
In order for Oneflow to be able to provide a secure platform, security and compliance is shared between Oneflow and the customer. The goal of the shared responsibility model is to allow Oneflow to focus on providing a secure platform to its customers while allowing customers to proactively be engaged in the protection of their assets.
Oneflow is responsible for the security of the platform, the infrastructure and the network used to provide the service. In order to maintain the confidentiality, integrity and availability of data stored and processed by Oneflow, data is encrypted during transit and at rest. Regular updates are applied to the application to ensure the highest level of protection at all times. Additionally, the Oneflow platform is hosted in multiple geographically separated locations, which results in a redundant reliable service.
Oneflow is also responsible for offering a wide range of security enhancing functionality to further allow protection of the customers most important assets. This functionality can be activated for the appropriate risk landscape, operational requirements and compliance obligations.
Customers are responsible for the security of the Oneflow application in relation to the elements under their control. For example, customers are responsible for ensuring that authentication details such as passwords are kept secure and not exposed to unauthorized persons.
Oneflow provides a wide range of security functionality, however, it is the customers responsibility to make use of such functionality, for example two step authentication, Single Sign-on and data retention policies. Access to contracts can be controlled by the customer through the use of advanced role based permissions and as such the customer is responsible for making sure that permissions are granted to only those who require access within the organization. Additionally, it is the customers responsibility to make sure the contract is sent to the correct recipient.
Contracts that have been downloaded or exported outside the Oneflow platform are the sole responsibility of the customer; customers will still be able to access the contract within Oneflow as long as it has not been deleted by the customer.