Security & data protection

Our approach to compliance

Onspring has always been a customer-first organization, which means our decisions are based on how we can better support you in any capacity and at any point in time. Data security is of utmost importance to our business and that of our customers. We take our security and compliance measures seriously and expect the same from you.

Onspring is FedRAMP in process as of Jan 2023

FedRAMP In Process

The Onspring GovCloud platform achieved the FedRAMP In Process designation in January 2023, a key milestone to receiving FedRAMP Authorization.

Onspring GovCloud will provide the fastest-performing cloud-based GRC software in a FedRAMP Authorized environment. With the FedRAMP In Process designation, federal agencies and any organization necessitating a FedRAMP Authorized GRC software can now begin solicitations with Onspring.

SOC I & II Compliance

Onspring holds AICPA SOC 2 Type I certification and is currently working to achieve AICPA SOC 2 Type II certification that attests our Security, Confidentiality, and Availability controls are in place in accordance with the AICPA Trust Service Criteria.

SOC 2 Compliance


Customer data and attachments reside on servers owned and managed by Onspring. For customers requiring FedRAMP compliant cloud environments, Onspring stores data in a dedicated environment.

Onspring maintains logical segregation of each and every customer database.

For example, data stored in a customer’s production database, a development database, or a test database does not commingle with other customer data.

For customers who require a higher degree of separation, Onspring will locate their databases to a dedicated server for an additional cost.

Customers maintain complete control over who can access their data. Onspring provides a number of authentication options, including integrations with third-party Single Sign On (SSO) solutions and Active Directory (AD) integrations to enforce access control standards.

No. Your data is your data.

Onspring is contractually bound by this concept and does not access customer data without express written permission from authorized customers.

Onspring’s security module provides a great deal of flexibility for data accessibility. Control settings can be set per role, content, or field.

Role-based security allows customers to designate primary and maximum levels of access within the database for each user.

      • Access is segmented by various apps, or data tables, in which data is stored.
      • Each user can be granted Create, Read, Update and/or Delete rights.

Content and field security allows customers to create more refined access settings.

      • By defining content security rules, customers can dynamically adjust access within an app based on user assignments, group/role membership, and/or record attributes.
      • Field level security rules enable customers to restrict access to read-only or completely revoke access at the field level for users operating with specific roles.

Onspring also enables encryption on text-based fields to prevent content access by Onspring team members who hold database access.

Data is extracted from Onspring by using either the reporting functionality or leveraging the RESTful API for migration to another database or platform.

Onspring reporting performs ad hoc extracts of data into Excel and PDF format. Reports can also be set up to extract data on a set schedule and sent to a specific user or group of users.

Data security is our priority. We take testing seriously and we take proactive data protection even more seriously.

SecurityScorecard awarded Onspring with a 100/100 score.

If you have additional questions please reach out to us to discuss.