Security

EFFECTIVE January 01, 2024

Summary

Osmos understands that its products must meet the highest standards for security and privacy. To achieve this, Osmos has established oversight and policy structures that identify and mitigate potential risks during development and service delivery. Osmos has developed comprehensive and rigorous software security assurance processes and procedures that ensure and demonstrate the integrity of its products and address potential vulnerabilities.

Osmos may engage with independent third parties to give customers greater assurance that multiple layers of protection have been put into place to secure data.

Contact security@osmos.io if you have any questions or comments.

Industry Standard Security Controls

Application Architecture Security

Osmos' application architecture is comprised of components that, combined, provide a secure foundation for the software solution. Osmos is a cloud hosted solution, and utilizes Microsoft Azure and Google Cloud Platform as its web security and web application firewall providers, serving as a critical line of defense against potential malicious activity.

Solution Infrastructure

Our infrastructure is developed primarily in the Rust Programming Language. This provides memory safety (like Java) while providing the performance of C/C++. Given that our infrastructure packs and unpacks customer data, this provides a foundational level of security against security issues like buffer overflows. High-risk data transformations are done inside Web Assembly sandboxes to provide additional security.

Application Password Policy

Passwords are stored with the user identity in the control database. All passwords are stored as salted BCrypt hashes in accordance with OWASP’s recommendation for keyed functions.

Customers also have the option of utilizing SSO via SAML. In this scenario, a user’s password is stored in the customer’s identity provider (IdP) and not in the control database.

Communications Security

User access to the application is always via HTTPS, where we support TLS v1.2 or above. All access to our infrastructure is via HTTPS or SSH with key based two factor authentication

Data Backup and Business Continuity Management

Backups for cloud-hosted implementations are managed, performed, and tested by the Google Cloud Platform and Microsoft Azure. Offsite backups are maintained with a best-effort 1 hour Recovery Point Objective.

To ensure business continuity for our provided services, Osmos maintains a business continuity plan and holds annual technical and tabletop tests. For Google Cloud and Microsoft Azure zonal failures, Osmos has real time failover. For Google Cloud or Microsoft Azure regional and multi-regional failures, Osmos' Recovery Point Objective is 8 hours, while Recovery Time Objective (RTO) is 48 hours.

Data Encryption

All data, both in transit and at rest, is encrypted utilizing the 256 key bit Advanced Encryption Standard (AES).

All key management is implemented within Google Secret Manager.

Intellectual Property Rights and Data Usage

Osmos customers own their data, and we commit to keeping customer data strictly confidential. Data stored or accessed by Osmos is only stored/accessed for the purposes of providing services Osmos is contracted to provide.

Osmos offers standard and custom data retention guarantees to ensure timely deletion of customer data from Osmos' operational systems and backups (usually within 30 days). Osmos enables data portability so customers can easily leave with their data if they choose to stop using our services, without any additional penalties imposed by Osmos

Permissions

Osmos institutes role-based access and permissions across the entire organization. When designing roles, Osmos follows the “Principle of Least Privilege” framework to ensure only appropriate users have access to sensitive information for the purpose of the task at hand.

Penetration and Vulnerability Testing

Osmos conducts penetration testing annually through the use of external third parties. The scope for any penetration testing engagement includes the primary web application, internal and external testing of the underlying architecture/infrastructure, and all associated API endpoints.

Osmos also has a robust vulnerability management program that utilizes the same scope as outlined for penetration testing on an ongoing basis. Automated vulnerability scanning is conducted at a regular cadence (both authenticated and unauthenticated) and operations teams work closely together to review potential risks, mitigate those risks, and reduce the attack surface across the organization.

Production Access

No resources are shared between the production environment and environments where development, quality assurance, and integration testing occur. Production access is limited to the deployment and on-call engineers, and strict audit access control is in place to ensure compliance. All production access is via a different channel than user access.

Privacy & Compliance

Osmos Legal and Regulatory Compliance

Osmos Company complies with all applicable privacy and data protection laws, including GDPR and CCPA. To safeguard customer privacy in accordance with the applicable regulatory frameworks, Osmos has implemented appropriate measures to meet legal and regulatory requirements and continuously makes improvements based on regulatory changes.

Osmos is hosted on Microsoft Azure and Google Cloud Platform. Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances, including SOC 1/2-3, PCI-DSS, and ISO27001. See the Google Cloud Platform compliance, security, and data center security documentation, and Azure Security Documentation, and Azure facilities, premises, and physical security documentation, for more detailed information.

In addition, Osmos undergoes independent SOC2 audit annually and this report is made available under NDA to all existing and prospective customers.

Cross Border Transfers

To ensure personal data transfers from the EU to third-party countries apply with the GDPR, Osmos leverages the European Commission’s approved standard contractual clauses (SCCs) as its lawful transfer mechanism.

In accordance with the GDPR and official guidance, the Osmos team reviews the adequacy of data protection in the third-party country and applies appropriate measures to ensure the personal data subject to the transfer still receives essentially equivalent protection.

Data Subject Rights

Data subject and consumer rights are a fundamental component of data protection and privacy laws. Osmos has implemented internal policies and procedures for handling data subject requests it receives, including receipt, verification of identity, and implementation of request.

Data Protection Impact Assessments

The GDPR requires that controllers conduct data protection impact assessments (DPIA) before engaging in a processing activity that is likely to result in a high risk to the rights and freedoms of data subjects, such as where the activity involves the use of new technology or involves a very large amount of personal data.

Osmos maintains a DPIA based on relevant official EU-based guidance, which covers all of the mandatory elements.

Company Access Policies

Access to all infrastructure is controlled via 2 Factor Authentication with physical keys where possible. All deployments, including test infrastructure use the same encryption policies as production services. We maintain state-of-the-art Continuous Integration/Continuous Deployment infrastructure enabling fast development times for customer feature delivery and security updates. We also employ industry standard code analysis, vulnerability scanning and runtime monitoring.

Questions? Concerns?

We're always happy to help with any other questions you might have! Send us an email at security@osmos.io