Last updated: May 1, 2026
Compliance certifications
SOC 2 Type II (annual audit by an AICPA-accredited firm), HIPAA (BAA available on Enterprise), GDPR/DPA, ISO 27001 (in progress for 2026). Reports available under NDA.
Encryption
AES-256-GCM for all data at rest, including DKIM private keys (sealed in a dedicated key vault). TLS 1.3 for all data in transit. MTA-STS enforced on egress where supported. DKIM keys never leave the vault — signing happens server-side.
Network security
Private VPC per region, no public database endpoints, IDS/IPS on every edge node, WAF on every public endpoint, DDoS protection at L3/L4/L7.
Access control
SSO (SAML/OIDC) for customers on Enterprise. SCIM provisioning. MFA required for all internal staff. Least-privilege role-based access. Production access requires two-person approval and is logged.
Penetration testing
Annual third-party pentest of all public-facing infrastructure. Continuous bug bounty program with rewards up to $25,000 for critical findings.
Vulnerability management
Daily vulnerability scans on all images. Critical vulnerabilities patched within 24 hours. High within 7 days. Medium within 30 days.
Incident response
24/7 on-call rotation. Severity 1 incidents engaged within 15 minutes. Customer notification within 1 hour of confirmation. Public post-mortem for any SEV-1 affecting platform.
Disaster recovery
Active-active across regions. RTO 4 hours, RPO 5 minutes. Tabletop exercises quarterly, live failover drills semi-annually.
Bug reporting
Report vulnerabilities to security@inbox.onesourcesoft.com. PGP key at /.well-known/security.txt. We do not pursue legal action against good-faith researchers.
