&Open operates a security program run by the security function and rolled out through out the Organisation. The framework for the &Open security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
The &Open security framework is based on the Service Organisation Control 2(SOC2) Type 2 System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Infrastructure Security, Security Compliance, Operations Security, Business Continuity Security, People Security, Product Security, Cloud and Network Security, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response.
&Open services and data are hosted in Amazon Web Services (AWS) facilities in the USA
&Open was built with disaster recovery in mind. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centers fail.
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network. The VPC is protected with an IDS system and continuously monitored for any misconfigurations or security risks.
On an application level, we produce logs for all activity, ship logs to out log management platform for analysis and use S3 for archival purposes. We use an IDS system and continuously monitored for any misconfigurations or security risks.
Access to customer data is limited to employees who need it to carry out their mission. &Open traffic uses HTTPS at all times. Access is granted to corporate applications and only people who need access are granted access through our internal approval process. We offer SAML and OAuth single sign-on (SSO) and two-factor authentication (2FA) and enforce the use of strong passwords on all key services to ensure protected access to these and other key cloud services.
All data is encrypted both in transit and at rest using 256 bit encryption. HTTPS is mandated for all requests hitting our system and all AWS databases and s3 buckets are encrypted where sensitive data is stored.
&Open uses third party pen test partners to carry out a penetration test once per year. Beyond this, all code is continuously scanned for possible vulnerabilities. We use a vulnerability scanner to scan all servers running in our environment. Vulnerabilities are tracked to resolution as part of our SDLC.
&Open implements a program for handling security events/incidents which includes management procedures, rapid mitigation and post mortem. All employees are informed of our incident management program.
All vendors are checked as part of a third party vendor onboarding procedure which ensures they meet our minimum security requirements depending on the nature of business and data we share with them.
All employees undergo Security and Awareness training on commencement of employment and then annually.
We have developed a comprehensive set of security policies and procedures covering a range of topics. These policies and procedures are updated frequently and shared with all employees.
&Open performs background checks on all new employees in accordance with local laws.
All employee contracts include a confidentiality agreement.
We encourage internal staff and external customers, and other stakeholders to report any suspected security incidents. Should you wish to raise a security incident, please contact firstname.lastname@example.org