Home > Security Center > Compliance
Compliance
How we make compliance seamless in everything we build.
Your data is our responsibility
Your trust is important to us, which is why we go the extra mile to protect your data. Discover how Oneflow’s advanced security infrastructure keeps your information safe.
Oneflow is built with redundancy at every layer of its infrastructure. The platform, databases, storage and auxiliary services are hosted in multiple availability zones in Ireland, EU to allow for sporadic failures without any loss of availability, functionality or customer data. System logs and authentication logs are stored for 90 days (including 30 days off-site backup). Backups are also taken at regular intervals and stored in data centers in Sweden.
Oneflow is a secure platform with capabilities for searchability, follow-up and control. Personal data is safe in one place, rather than spread across email, servers and hard drives. Customer data (including personal data) processed and stored in Oneflow is confidential and only accessed by the customer.
Oneflow has a comprehensive Business Continuity and Disaster Recovery Policy in place which is reviewed annually or whenever significant changes are made.
Certifications
Oneflow is certified in Information Security (ISO 27001), Quality (ISO 9001), and Environment (ISO 14001) as of July 2024. Here is the link to download the certificate.
Our ISO certifications underscore our dedication to top-tier security compliance, quality control and environmental stewardship.
Implementing appropriate security measures is vital to us and a significant part of our business includes keeping up to date with information security standards and legislation. We have proactive measures in place through e.g. encryption, backup and impact assessments.
Learn more about each of the ISO certifications here.
Policies
A selection of our policies is shown below.
- Information Security Policy
- Quality Management Policy
- Environmental Policy
- Information Security Risk Management Policy
- Information Security Incident Management Policy
- Acceptable Use Policy
- Access Control Policy
- Asset Management Policy
- Business Continuity and Disaster Recovery Policy
- Supplier Security Policy
- Secure Development Policy
- Change Management Policy
- Log Management Policy
- Decommissioning and Destruction Policy
- Workplace flexibility policy
- Travel Policy
Please contact us if you have any questions about our certifications or policies.
Shared responsibility model
In order for Oneflow to be able to provide a secure platform, security and compliance is shared between Oneflow and the customer. The goal of the shared responsibility model is to allow Oneflow to focus on providing a secure platform to its customers while allowing customers to proactively be engaged in the protection of their assets.
Oneflow’s responsibility
Oneflow is responsible for the security of the platform, the infrastructure and the network used to provide the service. In order to maintain the confidentiality, integrity and availability of data stored and processed by Oneflow, data is encrypted during transit and at rest. Regular updates are applied to the application to ensure the highest level of protection at all times. Additionally, the Oneflow platform is hosted in multiple geographically separated locations, which results in a redundant reliable service.
Oneflow is also responsible for offering a wide range of security enhancing functionality to further allow protection of the customers most important assets. This functionality can be activated for the appropriate risk landscape, operational requirements and compliance obligations.
Customer responsibility
Customers are responsible for the security of the Oneflow application in relation to the elements under their control. For example, customers are responsible for ensuring that authentication details such as passwords are kept secure and not exposed to unauthorized persons.
Oneflow provides a wide range of security functionality, however, it is the customers responsibility to make use of such functionality, for example two step authentication, Single Sign-on and data retention policies. Access to contracts can be controlled by the customer through the use of advanced role based permissions and as such the customer is responsible for making sure that permissions are granted to only those who require access within the organization. Additionally, it is the customers responsibility to make sure the contract is sent to the correct recipient.
Contracts that have been downloaded or exported outside the Oneflow platform are the sole responsibility of the customer; customers will still be able to access the contract within Oneflow as long as it has not been deleted by the customer.
Privacy by design and by default
This principle is our product development ‘north star’ that guides everything we build. Here are some of the questions we always ask ourselves in every product development decision we make:
- Sensitive information – Does the code expose any sensitive information?
- Establish the context – Does the purpose of the code meet the acceptable risk parameters?
- Making intrusion difficult – Are all aspects of the code and system difficult to compromise. Does the new code negatively impact pre-existing code?
- Making disruption difficult – Is the system and code resilient and not susceptible to denial of service attacks and usage spikes?
- Making intrusion detection easier – Is the code and system designed to allow suspicious activity to be noticed easily, e.g. are adequate logging and monitoring in place?
- Reducing the impact of intrusion – Is the system developed to minimize the impact of an intrusion. Is functionality structured to prevent unnecessary connections to other parts of the system?
- Protection against common vulnerabilities – Are systems developed safely against most vulnerabilities e.g. OWASP Top 10?
Encryption
Data is encrypted in transit and at rest; TLS 1.2 is used to encrypt data in transit, from the public internet to our CDN edge points, all the way into our internal network before being processed. Databases, servers and file storage also all encrypt data before storing it at rest, utilizing state-of-the-art encryption with the AES 256 algorithm.
Questions?
Explore our Security Center to learn more about how Oneflow protects sensitive data, so that you can manage your contracts with a piece of mind.
We have gathered everything you need to know on how we ensure a secure platform in our FAQ.