Security & data protection at Onspring

Data security is of utmost importance to our business and that of our customers. We take our security and compliance measures seriously, so you can rest easy knowing Onspring works tirelessly to maintain our security and your trust. 

Vulnerability Remediation for System Security

Onspring Platform Certifications


SOC2 Type II

Onspring maintains a SOC2 Type II attestation annually with AICPA to validate our safeguards for customer data security, availability & confidentiality.

Onspring is Star level 1 Cloud Security Alliance


Onspring is STAR Level One with the Cloud Security Alliance (CSA), demonstrating our continued compliance with the Cloud Controls Matrix (CCM).

FedRamp Authorized

FedRAMP Authorized

Onspring GovCloud is FedRAMP Authorized at a moderate impact level.
View GSA Listing.

Risk Management Icon Onspring Red Line

Penetration Attestations

Network penetration tests against public-facing infrastructure and web app tests against public-facing web services, plus internal vulnerability and penetration testing against non-public infrastructure, including wireless networks, is conducted annually.

Vendor Management Icon Onspring Teal Line

IT Accessibility/Section 508

Onspring ensures the accessibility and usability of our platform and products for individuals with disabilities through our compliance with the Voluntary Product Accessibility Template (VPAT) v2.4 and revised 508 standards.

SDLC Management Icon Onspring Yellow Line

Subservice Organizations

Subservice organizations maintain their own certifications and audit processes that meet the requirements of their service offerings. Onspring reviews attestations annually to ensure their due diligence activities and our mandatory requirements.

Policies & Procedures

We document information privacy, security, and risk management policies to ensure the confidentiality, integrity, and availability of customer data. Clearly defined roles, responsibilities, policies, and procedures protect the data stored in Onspring.

Security practices:
  • Maintenance of Information Security Policies
  • Dedicated security resources with defined responsibilities and accountability
  • Acceptable use of Onspring’s platform and systems
  • Identity, access, and authentication management
  • Access control and password requirements
  • Platform logging and monitoring process
  • Incident response process
  • Risk management, certifications, and assessments
  • Physical controls and security requirements of our data centers
  • Third-party risk management, security, and privacy


Customer data and attachments reside on servers owned and managed by Onspring. For customers requiring FedRAMP compliant cloud environments, Onspring stores data in a dedicated environment.

Onspring maintains logical segregation of each and every customer database.

For example, data stored in a customer’s production database, a development database, or a test database does not commingle with other customer data.

For customers who require a higher degree of separation, Onspring will locate their databases to a dedicated server for an additional cost.

Customers maintain complete control over who can access their data. Onspring provides a number of authentication options, including integrations with third-party Single Sign On (SSO) solutions and Active Directory (AD) integrations to enforce access control standards.

No. Your data is your data.

Onspring is contractually bound by this concept and does not access customer data without express written permission from authorized customers.

Onspring’s security module provides a great deal of flexibility for data accessibility. Control settings can be set per role, content, or field.

Role-based security allows customers to designate primary and maximum levels of access within the database for each user.

      • Access is segmented by various apps, or data tables, in which data is stored.
      • Each user can be granted Create, Read, Update and/or Delete rights.

Content and field security allows customers to create more refined access settings.

      • By defining content security rules, customers can dynamically adjust access within an app based on user assignments, group/role membership, and/or record attributes.
      • Field level security rules enable customers to restrict access to read-only or completely revoke access at the field level for users operating with specific roles.

Onspring also enables encryption on text-based fields to prevent content access by Onspring team members who hold database access.

Data is extracted from Onspring by using either the reporting functionality or leveraging the RESTful API for migration to another database or platform.

Onspring reporting performs ad hoc extracts of data into Excel and PDF format. Reports can also be set up to extract data on a set schedule and sent to a specific user or group of users.

Data security is our priority. We take testing seriously and we take proactive data protection even more seriously.

SecurityScorecard awarded Onspring with a 100/100 score.

If you have additional questions please reach out to us to discuss.