Security at Ondorse
Compliance
- SOC2 Type 2 and ISO27001 certifications on the roadmap
- Strict implementation of EBA guidelines for essential outsourced services :
- Audit rights for the customer and the regulator
- Open subcontractor list for Ondorse, subject to the same guidelines and customer’s approval (sub-outourcing framework agreement)
- Reversibility of the service
- Service Level Agreement
- Monitoring of EBA policies to continue to meet the new standards
- GDPR compliant
- All data hosted in EEU
- Privacy by design
Access and organizational security
- Authentication: strong password policies to ensure access to Ondorse's cloud services and SaaS are protected.
- Password Managers: all company-issued laptops have a password manager in place for team members to manage passwords and maintain password complexity.
- Permissions: access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
- Security policy deployed (for travels, out-of-office work, in-office practices, laptop configurations, and encryption)
- Least privileged access control:
- Production account is only accessible by Senior DevOps employees, on a need-to-do basis
- No manual access for ordinary operations
- Minimally scoped permissions for apps running
Internal technical security
- Security tests and monitoring
- Third-party penetration testing: we work with independent security consultants to conduct regular penetration tests on all parts of our system.
- Auditability (log trails)
3rd party providers
- Up-to-date list of 3rd party services used with production data can be provided on request at any moment
- Current list is:
- AWS (servers located in the EU, with the EBA Financial Services Addendum)
Data
- Cloud-native platform hosted in the EU on AWS: all our services are hosted with Amazon Web Services (AWS) in Europe. For more information please visit AWS Security.
- Data encryption: data is encrypted at rest and in transit using state-of-the-art standards
- Data isolation:
- Specific AWS account for production on which only Senior DevOps employees can have access
- Your data is stored on different servers than Ondorse data and other customers' data
Updated over 1 year ago