Data security and privacy are the top priorities in OnePageCRM and are ingrained in every aspect of our business. Since security standards are constantly evolving, our team never stops refining the system and processes to make sure that our customers get world-class data security and encryption. To provide additional insights into our Security Program we have prepared this overview.
Secure Software Development
The OnePageCRM development team consists of trusted and experienced developers that continuously evaluate our coding practices to recognize and timely address vulnerabilities.
We maintain best practices to ensure your account remains secure:
- Data privacy and protection. Customer data is stored in multi-tenant datastores with strict privacy controls.
- Thorough testing process. New features and updates are developed and released on development servers prior to being released to the main production environment.
- High reliability standards. Extensive testing is undertaken by the OnePageCRM Quality team to ensure all new features are working correctly and the performance of the app is maintained.
Do you have a Security Team? What do they do?
OnePageCRM has a dedicated Security Team. Their job consists of:
- Ongoing monitoring and addressing any security issues that arise.
- Continuous evaluation of the security posture of the company, people and applications of OnePageCRM.
- Working with external and internal application penetration testers to continuously and actively ensure a high level of security.
- Working with other business units to ensure business continuity and incident response plans are up to date and practiced.
- Ensuring compliance with OWASP security principles and AWS Shared Responsibility Model and other relevant security frameworks to ensure sanctity of users’ data.
- Running a public Vulnerability Disclosure Program.
- Ensuring a security-first mindset of the entire team including developers and support staff. Regular domain-specific training is run for various teams including security onboarding for new hires.
Does OnePageCRM undergo any external security testing?
OnePageCRM undergoes an annual security assessment by a world-renowned security audit company which consists of comprehensive penetration testing including:
- Application Penetration Testing,
- External Penetration Testing,
- Cloud Deployment Review,
- Security Program Review.
OnePageCRM also has an active Vulnerability Disclosure Program.
Are there any additional steps I can take to secure my OnePageCRM account?
OnePageCRM believes in shared responsibility when it comes to protecting your data.
OnePageCRM is responsible for the security of your account but you are responsible for security within your account.
- Always use a strong unique password.
- Always ensure that you are on the correct site.
- Turn on two-factor authentication for your users.
- Assign the correct type of user to each person on the team. OnePageCRM provides four types of users to ensure appropriate access: Account Owner, Administrator, User and Focused User. For a description on how to use these, see here.
- Assign minimal needed permissions to each user on the team. OnePageCRM provides a number of different levels of permissions that determine the actions allowed to be taken by users. These include permissions for deleting contacts/deals, owning private contacts, ability to export contacts in bulk and many others. For a full list, see here.
Encryption and Password Management
Does OnePageCRM encrypt user data? How is user data encrypted?
When a user visits any OnePageCRM application or API, all traffic is encrypted in transit via HTTPS with a minimum supported TLS version of 1.2 and with a modern set of cipher suites recommended by Mozilla. We are graded A+ in the Qualys SSL Server Test.
When user data hits OnePageCRM systems, it is stored encrypted at rest. This is done using the industry-standard AES-256 algorithm.
How are user passwords encrypted?
In addition to the disk-level encryption described above, very sensitive fields are also encrypted within the database. Passwords are salted and hashed with SHA256. Other sensitive fields like API keys and OAuth2 tokens are encrypted within the database using encryption keys stored on AWS Secrets Manager.
What are OnePageCRM password management policies?
OnePageCRM team is trained according to the company’s Strong Password Policy:
- Our password policies differ for each use case.
- Passwords are never reused.
- The policies are enforced through ongoing monitoring and staff training within each department.
- Keys for encryption of data at rest are managed by AWS.
- Public/Private keys are used by the development team to access code repositories. Access to repositories is restricted and can only be given by selected senior team members.
- Public/Private keys are used by the senior devops team to access servers from limited internal networks.
- Passwords and access for other services/purposes are granted by heads of department on an as needed basis through a password manager.
Storing and Transferring Your Data
Where is my data stored?
OnePageCRM uses a top-tier, third-party data hosting provider Amazon Web Services (AWS). AWS provides 24/7/365 monitoring and surveillance, on-site security staff, and regular ongoing security audits. You can view more information on AWS data controls and AWS data security and privacy resources. AWS also provides a SOC 2 report for their cloud computing service.
OnePageCRM uses AWS servers located in North Virginia, U.S., and Dublin, Ireland to store your data. In addition, users have the option to select in which AWS region they would like their attachments to be stored.
Currently, for our European and other non-U.S. customers, this means that your personal information is transferred to AWS’s servers in the U.S. OnePageCRM relies on Standard Contractual Clauses (SCCs) included in the AWS GDPR Data Processing Addendum. SCCs are validated by the Court of Justice of the European Union as a legal mechanism for transferring data outside the European Economic Area (EEA).
How is the OnePageCRM network secured?
OnePageCRM believes in security at every layer of the stack. This includes the networking and server layer. The following highlights some of the security measures taken:
- Separate AWS accounts for production and development.
- The OnePageCRM servers in Amazon’s data center are isolated and run in a private network of Amazon’s Virtual Private Cloud Service.
- Different applications/codebases/databases for each type of user data (CRM, billing, sign-in, etc).
- Separate subnets for each application and database.
- Firewalls/Security groups deny everything by default for all instances.
- Web servers allow access only to http(s) ports from public networks and databases are only accessible from appropriate ports from the applications that need it.
- Inter-server application communication is signed via SAML and encrypted in transit
- Access to production infrastructure/applications is only given to most trusted senior members of staff.
Data Retention and Deletion
How is customer data backed up?
We back up your data on a nightly basis. All backups are replicated to another AWS region for redundancy and fault tolerance purposes. These backups are stored in a readily recoverable state for a two-week period before being put in cold storage for another 90 days at which point they are fully deleted.
Can OnePageCRM delete my data/How can I delete my data?
OnePageCRM does not have the ability to delete your account. You may delete your own account by following the instructions here.
Does OnePageCRM keep customer information after termination?
Once your OnePageCRM account has been deleted, it can remain in backups for up to 114 days.
Incident Response and Security Monitoring
Does OnePageCRM have an Incident Response Plan in place?
The OnePageCRM dedicated security team continuously monitors security systems, event logs, notifications, and alerts from all systems to identify and manage threats.
OnePageCRM has an incident response procedure in place. Incident response training is conducted on a regular basis. The incident response plan is reviewed annually.
All incidents, however minor, including training incidents, are treated with the utmost attention. Suspected incidents are investigated and dealt with by the core security team who follows our Incident Response Plan. All incidents are reviewed and lessons learned are built back into our Response Plans.
OnePageCRM security team maintains a Disaster Recovery Plan. According to this plan, the recovery time and recovery point depend on the reason for the failure. The plan also outlines the worst case, such as a full database restore from the last daily backup and application redeployment to a new AWS region. In this situation, the recovery point objective (RPO) is to the last daily backup and the recovery time objective (RTO) is 6 hours. We maintain over 99.9% uptime for our services. Our application status page can be viewed here.
When and how will I be notified of a suspected breach?
In the event of a breach of security, we will inform you without undue delay and use our best efforts to take all possible measures to neutralize the intrusion and minimize the impact.
We comply with GDPR requirements to report any incidents to our controllers and any affected parties within 72 hours.