We are aware of the importance of data privacy, and we take it very seriously. We understand that your data is valuable, and you have entrusted us with its security.
We use encryption to secure all the data that flows through our servers. We perform penetration testing regularly, and we have a SOC team to monitor our infrastructure 24/7.
Authentication
We support authentication providers: Google, Microsoft, AWS; multi-factor authentication (MFA), Local Active Directory, PKI certificates and OAuth 2.0.
Depth in Design
We apply defense in depth in design, which means that there are multiple layers of protection between our users’ information and any potential threats. One example is our internal time-based encryption method, which maintains an additional dynamic key unique to each user which is an uncommon tactic adding a rare measure to our security.
Encryption
Files are encrypted at rest, and we apply a layer of AES-256-CBC encryption for sensitive information such as database integrations or environment variables. All data transmitted between OTS and our users is protected using Transport Layer Security (TLS), and Strict-Transport-Security (HSTS).
MFA
All infrastructure access requires two-factor authentication for whitelisted IPs, which is enforced for all accesses to production systems (many of us utilize FIDO2 tokens) and available for user accounts.
Code Review
Changes to source code are reviewed in our secure development cycle and review process before being deployed into production environments—we follow these steps religiously so that your data remains secure.
Rigorous Security Testing
We perform penetration testing, or “pen tests,” on a regular basis to ensure that there are no vulnerabilities in our code. Pen tests are performed internally, by a contracted 3rd party, and we also utilize a bounty model to incentivize vulnerability identification from a large pool of expertise.
Uptime
Where near 100% uptime is of the highest priority we offer multi-cloud resiliency for near perfect uptime.
We also have a SOC (Security Operations Center), which monitors all traffic coming into and out of our services, including all network traffic, application layer traffic and user activity. The SOC team is responsible for providing 24/7 monitoring coverage for our environment as well as incident response capabilities.
Operational Security
All OTS team devices have up-to-date Operating Systems with domain enrolled access rules and strict administration policies, have strong passphrases and encrypted storage.
Minimal Privilege
We follow the principle of least privilege in how we design our cloud infrastructure and how we access it. We use Microsoft, AWS or Google account authentication with two-factor authentication enforced for all accesses to production systems (many of us utilize FIDO2 tokens).
Simple Privacy
In addition to keeping your data secure, we’re committed to keeping it private. Our privacy policy describes what information we collect and why. Aside from the data that we store to perform and support the services we offer we do not store your data.
We are simply not in the business of data storage, do not store any data that is not absolutely necessary, and limit access to the minimum possible, and further encourage our customers to implement security best practices such a creating limited-scope service accounts.