Security at Ondorse


  • SOC2 Type 2 and ISO27001 certifications on the roadmap
  • Strict implementation of EBA guidelines for essential outsourced services :
    • Audit rights for the customer and the regulator
    • Open subcontractor list for Ondorse, subject to the same guidelines and customer’s approval (sub-outourcing framework agreement)
    • Reversibility of the service
    • Service Level Agreement
    • Monitoring of EBA policies to continue to meet the new standards
  • GDPR compliant
    • All data hosted in EEU
    • Privacy by design

Access and organizational security

  • Authentication: strong password policies to ensure access to Ondorse's cloud services and SaaS are protected.
  • Password Managers: all company-issued laptops have a password manager in place for team members to manage passwords and maintain password complexity.
  • Permissions: access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
  • Security policy deployed (for travels, out-of-office work, in-office practices, laptop configurations, and encryption)
  • Least privileged access control:
    • Production account is only accessible by Senior DevOps employees, on a need-to-do basis
    • No manual access for ordinary operations
    • Minimally scoped permissions for apps running

Internal technical security

  • Security tests and monitoring
  • Third-party penetration testing: we work with independent security consultants to conduct regular penetration tests on all parts of our system.
  • Auditability (log trails)

3rd party providers

  • Up-to-date list of 3rd party services used with production data can be provided on request at any moment
  • Current list is:
    • AWS (servers located in the EU, with the EBA Financial Services Addendum)


  • Cloud-native platform hosted in the EU on AWS: all our services are hosted with Amazon Web Services (AWS) in Europe. For more information please visit AWS Security.
  • Data encryption: data is encrypted at rest and in transit using state-of-the-art standards
  • Data isolation:
    • Specific AWS account for production on which only Senior DevOps employees can have access
    • Your data is stored on different servers than Ondorse data and other customers' data