Skip to content
Get a demo

Compliance

How we make compliance seamless in everything we build.

ISO - Oneflow ISO - Oneflow

Your data is our responsibility

Your trust is important to us, which is why we go the extra mile to protect your data. Discover how Oneflow’s advanced security infrastructure keeps your information safe.

Oneflow is built with redundancy at every layer of its infrastructure. The platform, databases, storage and auxiliary services are hosted in multiple availability zones in Ireland, EU to allow for sporadic failures without any loss of availability, functionality or customer data. System logs and authentication logs are stored for 90 days (including 30 days off-site backup). Backups are also taken at regular intervals and stored in data centers in Sweden.

Oneflow is a secure platform with capabilities for searchability, follow-up and control. Personal data is safe in one place, rather than spread across email, servers and hard drives. Customer data (including personal data) processed and stored in Oneflow is confidential and only accessed by the customer.

Oneflow has a comprehensive Business Continuity and Disaster Recovery Policy in place which is reviewed annually or whenever significant changes are made.

Certifications

Oneflow is certified in Information Security (ISO 27001), Quality (ISO 9001), and Environment (ISO 14001) as of July 2024. Here is the link to download the certificate. You can also download our Statement of Applicability (SoA) to see how we implement ISO 27001 controls in practice.

Our ISO certifications underscore our dedication to top-tier security compliance, quality control and environmental stewardship.

Implementing appropriate security measures is vital to us and a significant part of our business includes keeping up to date with information security standards and legislation. We have proactive measures in place through e.g. encryption, backup and impact assessments.

Learn more about each of the ISO certifications here.

Policies

A selection of our policies is shown below.

  • Information Security Policy
  • Quality Management Policy
  • Environmental Policy
  • Information Security Risk Management Policy
  • Information Security Incident Management Policy
  • Acceptable Use Policy
  • Access Control Policy
  • Asset Management Policy
  • Business Continuity and Disaster Recovery Policy
  • Supplier Management Policy
  • Secure Development Policy
  • Change Management Policy
  • Workplace flexibility policy 

Please contact us if you have any questions about our certifications or policies.

Shared responsibility model

In order for Oneflow to be able to provide a secure platform, security and compliance is shared between Oneflow and the customer. The goal of the shared responsibility model is to allow Oneflow to focus on providing a secure platform to its customers while allowing customers to proactively be engaged in the protection of their assets.

Oneflow’s responsibility

Oneflow is responsible for the security of the platform, the infrastructure and the network used to provide the service. In order to maintain the confidentiality, integrity and availability of data stored and processed by Oneflow, data is encrypted during transit and at rest. Regular updates are applied to the application to ensure the highest level of protection at all times. Additionally, the Oneflow platform is hosted in multiple geographically separated locations, which results in a redundant reliable service.

Oneflow is also responsible for offering a wide range of security enhancing functionality to further allow protection of the customers most important assets. This functionality can be activated for the appropriate risk landscape, operational requirements and compliance obligations.

Customer responsibility

Customers are responsible for the security of the Oneflow application in relation to the elements under their control. For example, customers are responsible for ensuring that authentication details such as passwords are kept secure and not exposed to unauthorized persons.

Oneflow provides a wide range of security functionality, however, it is the customers responsibility to make use of such functionality, for example two step authentication, Single Sign-on and data retention policies. Access to contracts can be controlled by the customer through the use of advanced role based permissions and as such the customer is responsible for making sure that permissions are granted to only those who require access within the organization. Additionally, it is the customers responsibility to make sure the contract is sent to the correct recipient.

Contracts that have been downloaded or exported outside the Oneflow platform are the sole responsibility of the customer; customers will still be able to access the contract within Oneflow as long as it has not been deleted by the customer.

Privacy by design and by default

This principle is our product development ‘north star’ that guides everything we build. Here are some of the questions we always ask ourselves in every product development decision we make:

  • Sensitive information – Does the code expose any sensitive information?
  • Establish the context – Does the purpose of the code meet the acceptable risk parameters?
  • Making intrusion difficult – Are all aspects of the code and system difficult to compromise. Does the new code negatively impact pre-existing code?
  • Making disruption difficult – Is the system and code resilient and not susceptible to denial of service attacks and usage spikes?
  • Making intrusion detection easier – Is the code and system designed to allow suspicious activity to be noticed easily, e.g. are adequate logging and monitoring in place?
  • Reducing the impact of intrusion – Is the system developed to minimize the impact of an intrusion. Is functionality structured to prevent unnecessary connections to other parts of the system?
  • Protection against common vulnerabilities – Are systems developed safely against most vulnerabilities e.g. OWASP Top 10?

Encryption

Data is encrypted in transit and at rest; TLS 1.2 is used to encrypt data in transit, from the public internet to our CDN edge points, all the way into our internal network before being processed. Databases, servers and file storage also all encrypt data before storing it at rest, utilizing state-of-the-art encryption with the AES 256 algorithm.

Questions?

Explore our Security Center to learn more about how Oneflow protects sensitive data, so that you can manage your contracts with a piece of mind.

We have gathered everything you need to know on how we ensure a secure platform in our FAQ.

More from Oneflow

oneflow awards
One platform. All departments

Create, sign and manage any type of agreement you can think of

Find out more
Oneflow raises 20 million
Why Oneflow

Six reasons why teams around the world love the magic of flow

Find out more
Privacy overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly necessary cookies

Strictly necessary cookies are enabled to save your preferences for cookie settings and other important core functionality. You may disable these by changing your browser settings, but this may affect how the website functions. To change your preferences at any time, click on the “Change cookie settings” icon in the lower left corner to access this page.

Marketing cookies

Cookies set by third party services or by us to track performance metrics, usage and marketing analytics to help us to personalize content and ads which improves your experience visiting Oneflow. We also share information about your use of our site with our analytics and advertising partners.

For detailed information about Google Cookies policies, click here

Show details