Trust | Security
The security posture, in one place.
Encryption, identity, architecture, vulnerability management, incident response, backup and DR. Reports and questionnaires available under NDA.
Encryption
TLS 1.3 in transit. AES-256 at rest. KMS-managed keys with optional customer-managed keys (CMK) on Scale tier.
Identity & access
SAML 2.0 SSO with Okta, Azure AD, Google Workspace. SCIM 2.0 provisioning. Role-based access controls. MFA enforced on console access.
Architecture
Multi-tenant with strong tenant isolation at the database row level. Single-tenant private cloud available on Scale tier.
Vulnerability management
Quarterly third-party penetration tests. Continuous SAST/DAST/SCA in the SDLC pipeline. Bug bounty programme via HackerOne.
Incident response
On-call rotation, severity-based response SLAs, post-mortem within 5 working days. Customer notification within 24 hours of confirmed incident.
Backup & DR
Continuous backups with point-in-time recovery (35 days). RPO 1 hour, RTO 4 hours. Cross-region failover, tested quarterly.
Detailed posture
Hosting and data residency
Hosted on AWS in regional data centres aligned to local data residency rules. India-resident data on Mumbai (ap-south-1) for DPDP. EU-resident data on Frankfurt (eu-central-1) for GDPR. UAE on Bahrain (me-south-1). Singapore on Singapore (ap-southeast-1). US on Virginia (us-east-1).
Tenant isolation
Logical isolation at the database row level via tenant_id, enforced by row-level security policies. All API requests carry an authenticated tenant context. Cross-tenant queries are blocked at the database driver layer. Single-tenant private cloud available on Scale tier for groups with strict sovereignty needs.
Encryption
TLS 1.3 for all client-server traffic. AES-256-GCM at rest for the database, blob storage and backups. AWS KMS for key management with envelope encryption. Customer-managed keys (CMK via AWS KMS or external KMS) supported on Scale tier.
Identity and access
Customer end-users: SAML 2.0 SSO with all major IdPs (Okta, Azure AD, Google Workspace, OneLogin). SCIM 2.0 for user provisioning, de-provisioning and group sync. JIT user creation. Role-based permissions with role inheritance.
Internal access: SSO + MFA + just-in-time elevation for production. Production access logged to a tamper-resistant audit log; access is reviewed quarterly. Background checks for all employees with production access.
Vulnerability management
Quarterly external penetration tests by an accredited third-party firm. SAST and DAST in the CI pipeline. SCA (software composition analysis) for dependency vulnerabilities, with auto-merge of patches up to a defined risk threshold. Public bug bounty programme via HackerOne. Critical / High vulnerabilities patched within 7 / 30 days respectively per our internal SLA.
Incident response
24x7 on-call rotation. Severity-based response SLAs (Sev 1: 30-min response, 4-hour resolution target). Customer notification within 24 hours of confirmed security incident affecting their data. Post-mortem within 5 working days, shared with affected customers.
Backup and disaster recovery
Continuous backups of the database with point-in-time recovery up to 35 days. Daily snapshots retained for 90 days. Cross-region replication of backups. RPO of 1 hour, RTO of 4 hours. DR drill executed quarterly with documented results.
Logging and monitoring
All API access, configuration changes and admin actions logged to an immutable audit log. Logs retained for 12 months by default; longer on Scale tier per regulation. Customer audit logs streamable to your SIEM (Splunk, Datadog, Sumo Logic) on Scale tier.
security@onefinops.com
SOC 2 Type II report, ISO 27001 certificate, pen-test summaries and security questionnaires (CAIQ, SIG) available under NDA. We respond in 2 business days.