o9 SOC-2 Attestation
o9 Solutions has been attested by independent 3rd party to conform to SSAE 16 / SOC-2 controls.
Our servers are located within AWS enterprise-grade hosting facilities. Access is restricted to authorized staff by a combination of biometric systems and 24/7 onsite security guards, and is continually audited to meet SOC 2 Type II standards.
Firewalls & Network Security
External access to our servers is controlled by multiple layers of firewalls, intrusion protection systems and routers, which are configured and monitored according to industry best practice. Our own internal office networks are isolated from any customer data by design.
Our servers have SSL Certificates signed by DigiCert, so all data transferred between the users and the service is encrypted. The encryption is the same as that used for Internet banking.
User Access & Passwords
No one has access to your instance and data unless invited by you and with a level of user permission selected by you. You can remove any invited users whenever you want. Approved users must choose a strong password and automatic lockouts are enforced when incorrect passwords are repeatedly entered. We don’t allow the browser to save your login, which eliminates access from a stolen or compromised computer. If you leave your computer unattended for an extended period, you will be automatically logged out.
Third Party Vulnerability Testing
We perform regular web application vulnerability and penetration testing and automated server port security scanning using Qualys Enterprise scanners.
Third Party Access
Transfer of data to any third parties can only occur with your consent and to organizations that provide adequate data protection.
Data Protection & Backup
Our service has been designed for high user availability, with redundancy built into our hosting infrastructure, including redundant power, network, database and web servers. Our service availability performance stands at over 99% since launching the service in 2014. All customer data is backed up daily and backups are kept for 30 days or longer if required.