Your trust as well as the way we apply and manage our security posture, is at the heart of everything we do. Our commitment to our customers starts with the security and compliance of our services. Delivery of all Oncore services adheres to audited SOC 2 Type 2 practices and controls.
Oncore Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors. Our policies are based on the following core foundational principles.
Core Governance
1 |
All access should be limited to only those with a legitimate business need and granted based on the principle of least privilege. All access is logged and undergos strict authorization checks. |
2 |
Security controls should be implemented and layered according to the principle of defense-in-depth. Our approach leveraves best of breed solutions in helping us achieve diversity of our supply chain and technology ecosystem. |
3 |
Security controls should be applied consistently across all areas of the enterprise. Simply put, we take security and privacy of everything we do seriously and never compromise. |
4 |
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction. That being said, we strive for natural integration of our security controls with our workflows. By integrating, and making interactions with our security controls natural, our teams aren't slowed down or burdened with additional overhead. |
Data Protection
At Rest |
All datastores with customer data are encrypted at rest. Sensitive collections and tables also use row-level encryption. In addition, all physical storage media in our environment is encrypted as well. This means, that media is only ledgible and accessible when connected to and accessed from it's intended Oncore enviornment and is encrypted before being processed by databases, or application services. Outside of our secure data centers, it's all random illedgable data. |
In Transit |
Oncore services leverage TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also enable features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. |
Secrets / Credentials |
Encryption keys are managed within our secure and encrypted vaults. Our vaults leverage asymmetrics keys ensuring multiple factor authorization to credentials and confidential data. |
Product and Service Security
Coninuous Penetration Testing | Oncore conducts formal penetration testing of our netowrk at least annually, with several unscheduled tests in beteween. This ensures optimal rediness of our procedures, response and teams. |
Ongoing Vulnerability Scanning |
Oncore subscribes to ongoing vulnerability scanning of core prodiction infratructure and systems. In addition to external testing of our network's security controls, vulnerability scanning helps ensures all operating system, library, and third party software installed on production systems are routiinely tested and benchmarked against known and emergine vulnerability databases. |
Enterprise Security
Endpoint |
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates. All engineering and administrative interaction with production and backend systems occurs from trusted, locked down workstations containing pre-approved tooling. |
Secure Remote Access |
All remote access into internal resources is over a modern VPN platform built on OpenVPN leveraging multiple factor authentication and access authroization. |
Education |
Oncore delivers comprehensive security awareness and training to everyone joining and working with us. All new hires attend orientation and security sessions centered around our key principles and delivery objectives. The Oncore Operations Center continiously monitors all potential treat and attack vectors, updating the team with imporant security and safety related information requiring special attention and awareness. |
Identity and Access Management |
Everyone at Oncore leverages our Identify and Policy Management system, which aligns access / priviledged access and multi-factor authentication policies on all infratructure and users. We firmly believe in the principle of least privilege and apply elevated access managment controls on all tasks requiring it. This ensures any required access elevations are documented and limited. |
Data Privacy
Your privacy is and will always be enormously important to us. We do not sell or rent your data to anyone for any purpose, period. Unless you consent to it when necessary to perform services on your behalf - your data belongs with you.
We may use the information we collect to:
- Communicate with you;
- Fulfill our products and services;
- Improve and enhance development of our products and services.
We may share information with:
- Our service providers, business partners and affiliates;
- Third parties you authorize;
- Other third parties as required by law.
Oncore continuously evaluates updates to regulatory and emeging frameworks evolving our security and privacy policies and controls.