Data Security, Privacy & Compliance
Osmos understands that its products must meet the highest standards for security and privacy. To achieve this, Osmos has established oversight and policy structures that identify and mitigate potential risks during development and service delivery. Osmos has developed comprehensive and rigorous software security assurance processes and procedures that ensure and demonstrate the integrity of its products and address potential vulnerabilities.
Osmos may engage with independent third parties to give customers greater assurance that multiple layers of protection have been put into place to secure data.
Osmos' application architecture is comprised of components that, combined, provide a secure foundation for the software solution. Osmos utilizes Google Cloud Platform as its web security and web application firewall provider, serving as a critical line of defense against potential malicious activity.
Our infrastructure is developed primarily in the Rust Programming Language. This provides memory safety (like Java) while providing the performance of C/C++. Given that our infrastructure packs and unpacks customer data, this provides a foundational level of security against security issues like buffer overflows. High-risk data transformations are done inside Web Assembly sandboxes to provide additional security.
Passwords are stored with the user identity in the control database. All passwords are stored as salted BCrypt hashes in accordance with OWASP’s recommendation for keyed functions.
Customers also have the option of utilizing SSO via SAML. In this scenario, a user’s password is stored in the customer’s identity provider (IdP) and not in the control database.
User access to the application is always via HTTPS, where we support TLS v1.2 or above. All access to our infrastructure is via HTTPS or SSH with key based two factor authentication
Backups for cloud-hosted implementations are managed, performed, and tested by the Google Cloud Platform. Offsite backups are maintained with a best-effort 1 hour Recovery Point Objective.
To ensure business continuity for our provided services, Osmos maintains a business continuity plan and holds annual technical and tabletop tests. For Google Cloud zonal failures, Osmos has real time failover. For Google Cloud regional and multi-regional failures, Osmos' Recovery Point Objective is 8 hours, while Recovery Time Objective (RTO) is 48 hours.
All data, both in transit and at rest, is encrypted utilizing the 256 key bit Advanced Encryption Standard (AES).
All key management is implemented within Google Secret Manager.
Osmos customers own their data, and we commit to keeping customer data strictly confidential. Data stored or accessed by Osmos is only stored/accessed for the purposes of providing services Osmos is contracted to provide.
Osmos offers standard and custom data retention guarantees to ensure timely deletion of customer data from Osmos' operational systems and backups (usually within 30 days). Osmos enables data portability so customers can easily leave with their data if they choose to stop using our services, without any additional penalties imposed by Osmos
Osmos institutes role-based access and permissions across the entire organization. When designing roles, Osmos follows the “Principle of Least Privilege” framework to ensure only appropriate users have access to sensitive information for the purpose of the task at hand.
Osmos conducts penetration testing annually through the use of external third parties. The scope for any penetration testing engagement includes the primary web application, internal and external testing of the underlying architecture/infrastructure, and all associated API endpoints.
Osmos also has a robust vulnerability management program that utilizes the same scope as outlined for penetration testing on an ongoing basis. Automated vulnerability scanning is conducted at a regular cadence (both authenticated and unauthenticated) and operations teams work closely together to review potential risks, mitigate those risks, and reduce the attack surface across the organization.
No resources are shared between the production environment and environments where development, quality assurance, and integration testing occur. Production access is limited to the deployment and on-call engineers, and strict audit access control is in place to ensure compliance. All production access is via a different channel than user access.
Osmos Company complies with all applicable privacy and data protection laws, including GDPR and CCPA. To safeguard customer privacy in accordance with the applicable regulatory frameworks, Osmos has implemented appropriate measures to meet legal and regulatory requirements and continuously makes improvements based on regulatory changes.
Osmos is hosted on Google Cloud Platform. Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances, including SOC 1/2-3, PCI-DSS, and ISO27001. See the Google Cloud Platform compliance, security, and data center security documentation for more detailed information.
In addition, Osmos undergoes independent SOC2 audit annually and this report is made available under NDA to all existing and prospective customers.
To ensure personal data transfers from the EU to third-party countries apply with the GDPR, Osmos leverages the European Commission’s approved standard contractual clauses (SCCs) as its lawful transfer mechanism.
In accordance with the GDPR and official guidance, the Osmos team reviews the adequacy of data protection in the third-party country and applies appropriate measures to ensure the personal data subject to the transfer still receives essentially equivalent protection.
Data subject and consumer rights are a fundamental component of data protection and privacy laws. Osmos has implemented internal policies and procedures for handling data subject requests it receives, including receipt, verification of identity, and implementation of request.
The GDPR requires that controllers conduct data protection impact assessments (DPIA) before engaging in a processing activity that is likely to result in a high risk to the rights and freedoms of data subjects, such as where the activity involves the use of new technology or involves a very large amount of personal data.
Osmos maintains a DPIA based on relevant official EU-based guidance, which covers all of the mandatory elements.
Access to all infrastructure is controlled via 2 Factor Authentication with physical keys where possible. All deployments, including test infrastructure use the same encryption policies as production services. We maintain state-of-the-art Continuous Integration/Continuous Deployment infrastructure enabling fast development times for customer feature delivery and security updates. We also employ industry standard code analysis, vulnerability scanning and runtime monitoring.