What are the security controls in use?

ONEiO implements a comprehensive set of security controls through its ISO/IEC 27001:2022-certified Information Security Management System (ISMS). The controls are designed to ensure the confidentiality, integrity, and availability of the ONEiO SaaS platform.

1. Physical and Infrastructure Security

• Hosting: Services are hosted on Amazon Web Services (AWS) in Ireland (eu-west-1), London (eu-west-2), or North Virginia (us-east-1).
• Data Center Security: AWS data centers include 24/7 CCTV, multi-factor authentication for access, and fire suppression systems.
• Redundancy: High availability is ensured through at least three Availability Zones per region and replicated databases.

2. Data Security and Encryption

• Encryption at Rest: Integration message contents are encrypted using AES-256 before being written to the database. Disk-level encryption (AWS EBS) is also applied.
• Encryption in Transit: All data movement is secured using TLS 1.2 or 1.3.
• Key Management: Master keys are managed via AWS KMS.
• Data Retention: Customer message data is automatically deleted after 30 days.

3. Access and Identity Management

• Authentication: Mandatory Multi-Factor Authentication (MFA) is enforced wherever possible, including for all administrative access.
• Authorization: Access follows the principles of least privilege and need-to-know.
• Password Protection: Passwords are salted and hashed.
• Access Reviews: Asset owners perform user access reviews at least twice per year.

4. Network and Operations Security

• Network Protection: Services run inside environment-specific AWS Virtual Private Clouds (VPC) with strict Security Groups and Network ACLs.
• Threat Detection: AWS GuardDuty provides continuous monitoring for malicious activity and unauthorized behavior.
• Logging: Audit logs are produced for all user activities and archived.

5. Secure Software Development Lifecycle (SSDLC)

• Policy & Governance: A formal Secure Software Development Policy ensures security is embedded from planning through deployment.
• Peer Review: Mandatory manual peer review by at least one individual other than the author is required for all code changes, including infrastructure-as-code and server images, before release.
• Secure CI/CD: Automated pipelines include Static Application Security Testing (SAST), dependency scanning, and container vulnerability scans.
• Environment Separation: Development, staging, and production environments are strictly segregated into separate AWS accounts and VPCs. No production data is used in development or test environments.
• Third-Party Libraries: Only reputable, permissively licensed libraries are used, with automated license compliance and vulnerability monitoring.
• Penetration Testing: Independent third-party penetration tests are conducted annually, following OWASP and OSSTMM methodologies.

6. Governance and Risk Management

• ISMS: Continually improved based on ISO 27001:2022 requirements.
• Risk Assessment: Regular risk assessments are performed for all new assets and significant changes.
• Business Continuity: Documented disaster recovery plans.

More comprehensive information can be found on ONEiO SaaS Security.