Skip to content

Security FAQs

ISO - Oneflow ISO - Oneflow

Find all answers about Oneflow security.

Are you ISO 27001 certified?

Yes! You can read more on our Compliance page in the Security Center or to download the certificate.

Can you share your SoA (Statement of Applicability)?

Yes, you can download it here. Every control in the SoA is included and implemented and we have not excluded anything from the scope.

Can you share the certificate of your latest pentest?

Sure, you can find our latest pentest here.

Can you share details of the findings of your latest pentest?

Absolutely, but upon signing the Non-Disclosure Agreement (NDA).

Does Oneflow have a bug bounty program?

Oneflow encourages responsible disclosure. Vulnerabilities may be reported to security@oneflow.com. Oneflow does not have a bug bounty program at this time, and does not pay bounties for reported vulnerabilities.

How do I report a security vulnerability?

To report a security vulnerability, please email the details to security@oneflow.com

Does Oneflow support Single Sign-On (SSO)? If so, how is it implemented?

Oneflow currently support the following platforms for using SSO:

  • Azure
  • ADFS
  • ForgeRock
  • Google Workspace
  • Duo
  • OneTouch

If you use another platform, you can reach out and we will help.You can read about how to enable SSO here.

Have you obtained a certification related to information security and/or protection of personal data?

Yes, we are ISO 27001 certified! You can read more on our Compliance page in the Security Center or to download the certificate.

How is customer data backed up? What is your backup policy?

Oneflow utilizes multiple levels of backups both for data and documents. For databases, we have raw daily database dumps, daily database snapshots for 7 days and point in time recovery up to 5 minutes ago. For documents, we have a realtime mirror sync to a separate AWS region (Stockholm) and every document is versioned to protect for deletions in both regions. You can read more about our reliability here.

Is there an information security policy? Are personnel trained on the information security policy?

Oneflow maintains a comprehensive information security policy. An information security training & privacy session is held at least annually, and all new personnel attend an information security training & privacy session.

What are the physical security controls?

Oneflow office is located within a shared office building, where security measures are in place. In regards to data centres, Oneflow uses AWS to host the Oneflow application and the physical security controls are managed by AWS who has a range of security measures in place. Read more about AWS hosting here.

What is your timeline for remediating security vulnerabilities?

Oneflow commits to the following timeline:

  • Critical severity: Begin remediation immediately upon identification, deployment time within 1 week.
  • High severity: Deployment time within 2-4 weeks.
  • Medium severity: Deployment time within 1-2 months.
  • Low severity: We will aim to fix within 6 months when an impact assessment indicates that this vulnerability affects our systems and should therefore be prioritised.

What is the software development lifecycle (SDLC), or software change control process?

Oneflow employs Agile methodologies in our software development lifecycle (SDLC) to ensure flexibility and continuous improvement. All software changes undergo thorough peer review before release. We maintain multiple fully functional environments for testing and validation outside of the production environment, facilitating rigorous QA processes. Changes are accepted into production only after they pass peer review and the software’s automated test suite. This Agile approach enhances our ability to respond quickly to changes and efficiently manage the development process.

What data encryption standards does Oneflow employ?

Oneflow uses advanced encryption standards to protect customer data. This includes AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit, ensuring that all customer data is securely encrypted during storage and transmission.

Does Oneflow have an incident response plan for security breaches?

Oneflow has a comprehensive incident response plan in place to promptly address any security breaches. This plan outlines procedures for immediate containment, investigation, and remediation of incidents, ensuring minimal impact on our customers and compliance with all relevant notification laws.

Does Oneflow comply with industry-specific regulations relevant to digital contracts?

Oneflow is committed to adhering to industry-specific regulations that apply to digital contracts. This includes compliance with standards such as eIDAS in the EU for electronic signatures and transactions, ensuring our services meet the legal requirements for digital contracts in various jurisdictions.

What user access and authentication controls are in place in Oneflow?

Oneflow employs robust user access and authentication controls, including multi-factor authentication (MFA), role-based access controls (RBAC), and regular audits of user permissions. These measures ensure that only authorized users can access sensitive information and that user access is appropriately limited based on their role within the organization.