Trust

Own Company takes privacy and security very seriously. Our platform was built from the ground up with security in mind utilizing leading information security best practices.

Israel Conflict

Own operations are geographically redundant and designed for resiliency.  We have not experienced and do not currently anticipate any significant disruption to our operations as a result of the hostilities in Israel.  You may find up-to-date information on any service disruptions at https://status.owndata.com/

The Own security team has evaluated the Fluent Bit Linguistic Lumberjack CVE-2024-4323 for potential impacts. Own has interrogated its catalog of Fluent Bit usage across the organization and identified vulnerable version(s). The existing Fluent Bit deployments have compensating controls in place that negate the impact of CVE-2024-4323 and bring this into the High risk category. Own is evaluating if additional controls are warranted to further reduce potential risk.

Vulnerable version will be mitigated, patched, in accordance with the Own Vulnerability & Patch Management policy.

Compliance

System Status

Own implements best practices and industry standards to achieve compliance with numerous leading information security certifications and authorizations. View our technical and regulatory certifications below.

SOC 2 Type 2

Own receives an annual SSAE 18 SOC 2 Type II attestation report to provide assurance to our customers and partners that Own uses secure systems and processes to protect their data.

Own's latest SOC 2 Type II report is available upon request under NDA.

SOC 1 Type 2

Own receives a SSAE 21 SOC 1 Type II attestation report to provide assurance to our customers and partners that Own implements effective internal controls over financial reporting.

Own's latest SOC 1 Type II report is available upon request under NDA.

FedRAMP Authorized

Own achieved FedRAMP authorization for its Own Government Cloud solution. With this authorization, Own is now listed on the FedRAMP Marketplace, and is eligible to provide data protection services to all U.S. Federal Government customers. Learn more

ISO

Own is ISO 27001:2013 and ISO 27701:2019 certified, demonstrating Own has implemented best-practice information security and privacy processes to securely provide services to our customers.

ISO 27001:2013 Certificate

Information Security Management System (ISMS) Download here.

ISO 27701:2019 Certificate

Privacy Information Management System (PIMS) Download here.

Hébergeur de Données de Santé (HDS)

The HDS certification requires cloud service providers that host personal data governed by French laws to implement strong security measures to protect health data.

Own's HDS certification demonstrates our commitment to securing and protecting the confidentiality of personal health data.

Additional information on Own’s HDS program can be found here.

HDS Certification (English)

HDS Certification (French)

Cyber Essentials UK

Own is Cyber Essentials certified to comply with UK government requirements for implementing the Cyber Essentials Schema of security controls to support our UK government clients that handle personal information.

Own's Cyber Essentials certification can be downloaded here.

EU General Data Protection Regulation (GDPR)

If you are capturing and storing personal information of European Citizens, your company may be held liable under the GDPR, an EU data protection and privacy regulation. Own products are designed to support our customer's compliance obligations with data privacy regulations, including GDPR requirements.

More information on Own’s GDPR compliance capabilities can be found here.

Data Privacy Framework

Own is registered under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, demonstrating adequate data protection controls are implemented for cross-border transfers of personal data in compliance with EU law.

Own’s EU-U.S. DPF, Swiss-U.S. DPF and UK Extension to the EU-U.S. registration details can be found here.

Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health (HITECH)

To support the compliance programs for our Healthcare clients, Own extended the SOC 2 Type 2 audit scope to include applicable HIPAA/HITECH controls to demonstrate adequate safeguards are in place to protect healthcare data. Own’s latest HIPAA/HITECH report is available upon request under NDA.

Quality Management System (QMS)

Own’s QMS ensures our products are designed, developed, and maintained using industry-leading infrastructure, processes, and tools to deliver the highest levels of quality and ensure security of the product environment storing our customer’s data.

Own mapped our QMS against applicable 21 CFR Part 11 (“GxP”) and EudraLex Volume 4, Annex 11 (“GmP”) controls to externally validated controls within our ISO 27001 certification and SOC 2 Type II report to support the compliance program of our Life Sciences clients.

Additional information for Own’s support for GxP and GmP compliance can be found here.

Professional Membership

Information Systems Audit and Control Association (ISACA)

Own security personnel are part of the ISACA network, one of the world’s largest global organizations for information security professionals, and frequently participate in knowledge sharing to provide insight into emerging security threats and help advance the security field.

International Information System Security Certification Consortium (ISC2)

Own security personnel hold numerous ISC2 security certifications, including the Certified Information System Security Professional (CISSP), and are active members in the ISC2 community. ISC2 is a leading organization specializing in training and certifications for cybersecurity professionals.

New Jersey Cybersecurity and Communications Integration Cell (NJCCIC)

Own is a member of the NJCCIC and receives cyber alerts and advisories, cyber tips and best practices for managing cyber risk. The NJCCIC provides members with cyber information sharing, cyber threat analysis, and incident reporting services to promote statewide awareness of cyber threats and adoption of best practices.

SECURITY

Own is committed to protecting our clients when it comes to privacy and security. Our world-class secure data operations platform was built from the ground up utilizing leading information security best practices.

For details on our security controls download our security controls document.

Hosting

Own instances and storage are available on both AWS and Azure. The service is hosted on the AWS cloud platform in the USA, Canada, UK, the European Union, and Australia. On Azure, the service is hosted in the USA, Canada, European Union, and Australia.

Azure and AWS are top-tier, secure facilities that hold the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2, and more. These data centers are protected by the strictest security controls and physical access to the servers is restricted to authorized personnel only.

Own’s services run on our own VPC (Virtual Private Cloud) inside AWS or an Azure Virtual Network inside Azure in order to further isolate our networks in accordance with network and security best practices.

Enterprise-Grade Security

Own is a Salesforce.com authorized ISVForce partner and undergoes annual security assessments from salesforce.com in order to maintain this status.

Own’s security features ensure that data is always encrypted: both in transit and at rest. Our state of the art security measures include TLS 1.2 on every page in order to ensure all traffic to and from the website is always encrypted. Additionally, while at rest, the Own platform uses AES 256bit encryption and community-adopted oAuth authentication protocol to ensure passwords are never stored on our servers.

Disaster Recovery

Own’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is  backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.

Own uses CSP object storage to store encrypted customer data across multiple availability-zones. For customer data stored on object storage, Own uses object versioning with automatic aging to support compliance with Own’s disaster recovery and backup policies. For these objects, Own’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).

Any required recovery of a compute instance is accomplished by rebuilding the instance based on Own’s configuration management automation.

Own's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 4-hour recovery time objective (RTO). The DRP is exercised twice a year to measure recovery effectiveness.

Audits and Certifications

Own products are certified under ISO/IEC 27001:2013 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System).

Own undergoes annual SOC2 Type II audits under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.

Own utilizes global CSP regions for its product computing and storage. AWS and Azure have several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.

Web Application Security Controls

Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application and between Own and the third-party data source (e.g., Salesforce).

Customer administrators can provision and deprovision users and associated access as necessary.

Role-based access controls to enable customers to manage multi-org permissions.

Customer administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the customer’s administrator logged into the product, as well as through the Own API.

Access to Own products can be restricted by source IP address.

Customers can enable multi-factor authentication for accessing Own accounts utilizing time-based one-time passwords

Customers can enable single sign-on via SAML 2.0 identity providers.

Customers can enable customizable password policies to help align Own passwords to corporate policies.

Monitoring and Auditing

Own systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.

An intrusion detection system (IDS) is used to monitor network activity and alert Own of suspicious behavior.

Web application firewalls (WAFs) are used for all public web services.

Own logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.

Own utilizes security information and event management (SIEM) systems providing continuous security analysis of the networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by Own’s security and operations staff

Own’s incident response team monitors the security@owndata.com alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.

Account Isolation

Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single Own account.

Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.

Vulnerability Management

Own performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.

On a semi-annual basis, Own hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).

Vulnerability assessment results are incorporated into the Own software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the Own internal ticket system for tracking through resolution.

Incident Response

In the event of a potential security breach, the Own Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, Own will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

Dedicated Security Team

Own has a dedicated security team with over 100 years of combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM, CISSP, and ISO 27001 Lead Auditors.

Privacy and Data Protection

Own provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Own also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.

Background Checks

Own performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.

Network

Own products utilize CSP network controls to restrict network ingress and egress.

Stateful security groups are employed to limit network ingress and egress to authorized endpoints.

A multi-tier network architecture is used, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) or Azure Virtual Networks (VNets), leveraging private, DMZs, and untrusted zones within the CSP infrastructure.

In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.

Encryption

Own offers the following options for encryption of data at rest:

Standard Offering

  • Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2.

  • Envelope encryption is utilized such that the master key never leaves the Hardware Security Module (HSM).
  • Encryption keys are rotated no less than every two years.

Bring Your Own Key (BYOK)

  • Data is encrypted in a dedicated object storage container with a customer-provided master encryption key (CMK).

  • BYOK allows for future archiving of the key and rotating it with another master encryption key.
  • The customer can revoke master encryption keys, resulting in the immediate inaccessibility of the data.

Bring Your Own Key Management System (BYOKMS) for AWS users or Bring Your Own Key Vault (BYOKV) for Azure users

  • Encryption keys are created in the customer’s own, separately purchased account utilizing AWS KMS or Azure key vault.

  • The customer defines the encryption key policy that permits the customer’s SaaS Service account on AWS or Azure to access the key from the customer's own AWS KMS or Azure key vault.
  • Data is encrypted in a dedicated object storage container managed by Own and configured to use the customer’s encryption key.
  • The customer may instantly revoke access to the encrypted data by revoking Own’s access to the encryption key, without interacting with Own.
  • Own employees have no access to the encryption keys at any time and do not access the KMS/key vault directly.
  • All key usage activities are logged in the customer’s KMS/key vault, including key retrieval by the dedicated object storage.

For data in transit, traffic between Own and Salesforce APIs is sent over HTTPS utilizing TLS 1.2+ and OAuth 2.0.

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo