Security & data protection at Onspring

Data security is of utmost importance to our business and that of our customers. We take our security and compliance measures seriously, so you can rest easy knowing Onspring works tirelessly to maintain our security and your trust.

Vulnerability Remediation for System Security

Onspring Platform Certifications

SOC2 Type II

Onspring maintains a SOC2 Type II attestation annually with AICPA to validate our safeguards for customer data security, availability & confidentiality.

Onspring is Star level 1 Cloud Security Alliance

CSA & CCM

Onspring is STAR Level One with the Cloud Security Alliance (CSA), demonstrating our continued compliance with the Cloud Controls Matrix (CCM).

FedRAMP Authorized Moderate Level Onspring CSP

FedRAMP In-Process

Onspring GovCloud is FedRAMP In Process at a moderate level, a key milestone to receiving FedRAMP Authorization, expected before the end of 2024. View GSA Listing.

Penetration Attestations

Network penetration tests against public-facing infrastructure and web app tests against public-facing web services, plus internal vulnerability and penetration testing against non-public infrastructure, including wireless networks, is conducted annually.

IT Accessibility/Section 508

Onspring ensures the accessibility and usability of our platform and products for individuals with disabilities through our compliance with the Voluntary Product Accessibility Template (VPAT) v2.4 and revised 508 standards.

Subservice Organizations

Subservice organizations maintain their own certifications and audit processes that meet the requirements of their service offerings. Onspring reviews attestations annually to ensure their due diligence activities and our mandatory requirements.

Policies & Procedures

We document information privacy, security, and risk management policies to ensure the confidentiality, integrity, and availability of customer data. Clearly defined roles, responsibilities, policies, and procedures protect the data stored in Onspring.

Security practices:

Maintenance of Information Security Policies
Dedicated security resources with defined responsibilities and accountability
Acceptable use of Onspring’s platform and systems
Identity, access, and authentication management
Access control and password requirements
Platform logging and monitoring process
Incident response process
Risk management, certifications, and assessments
Physical controls and security requirements of our data centers
Third-party risk management, security, and privacy

FAQS

Where is customer data stored when loaded in onspring?

Customer data and attachments reside on servers owned and managed by Onspring. For customers requiring FedRAMP compliant cloud environments, Onspring stores data in a dedicated environment.

How is data kept separate across customers?

Onspring maintains logical segregation of each and every customer database.

For example, data stored in a customer’s production database, a development database, or a test database does not commingle with other customer data.

For customers who require a higher degree of separation, Onspring will locate their databases to a dedicated server for an additional cost.

Who has authority to access customer data?

Customers maintain complete control over who can access their data. Onspring provides a number of authentication options, including integrations with third-party Single Sign On (SSO) solutions and Active Directory (AD) integrations to enforce access control standards.

Do Onspring employees have access to customer data?

No. Your data is your data.

Onspring is contractually bound by this concept and does not access customer data without express written permission from authorized customers.

Once someone logs into Onspring, what data is accessible and can it be restricted?

Onspring’s security module provides a great deal of flexibility for data accessibility. Control settings can be set per role, content, or field.

Role-based security allows customers to designate primary and maximum levels of access within the database for each user.

- - Access is segmented by various apps, or data tables, in which data is stored.
  - Each user can be granted Create, Read, Update and/or Delete rights.

Content and field security allows customers to create more refined access settings.

- - By defining content security rules, customers can dynamically adjust access within an app based on user assignments, group/role membership, and/or record attributes.
  - Field level security rules enable customers to restrict access to read-only or completely revoke access at the field level for users operating with specific roles.

Onspring also enables encryption on text-based fields to prevent content access by Onspring team members who hold database access.

How do customers pull data from Onspring?

Data is extracted from Onspring by using either the reporting functionality or leveraging the RESTful API for migration to another database or platform.

Onspring reporting performs ad hoc extracts of data into Excel and PDF format. Reports can also be set up to extract data on a set schedule and sent to a specific user or group of users.

Data security is our priority. We take testing seriously and we take proactive data protection even more seriously.

SecurityScorecard awarded Onspring with a 100/100 score.

If you have additional questions please reach out to us to discuss.

Talk with Us