onPhase Forms latest - This documentation is for onPhase Forms v11.3. Not for you? Earlier documentation is available too.
Security and Governance
onPhase Forms employs a multi-layered approach to security, access control, and application governance. This broadly includes both application-level security features as well as security and policies applied to our cloud-based solution.
onPhase’s Information Security team ("Infosec") is committed to protecting onPhase’s customers, directors, officers, employees, contractors, and the company from illegal or damaging actions by individuals. Infosec has issued this Information Security Policy (this "Policy") to further this objective.
This Policy generally aligns with many of the information security management systems standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (EC) as more specifically set forth in ISO 27001 and 27002. Implementing this Policy will therefore help onPhase comply with various aspects of such international data security standards.
This Policy encompasses all aspects of security surrounding confidential company information and must be distributed to anyone with access to this information. All individuals with access to confidential company information must read this document in its entirety. This document will be reviewed and updated by Top Management and InfoSec on an annual basis or when relevant to include newly developed security standards into the policy and distribute it all employees and outsourced resources as applicable.
Effective security is a team effort involving the participation and support of everyone who handles onPhase information and information systems.
- 1 People and Policies
- 2 Software
- 2.1 onPhase Forms Application Security
- 2.1.1 Access and Authentication
- 2.1.2 Authorization
- 2.1.3 Design Time
- 2.1.4 End-User/Run Time
- 2.1.5 Accountability
- 2.1.6 Integration
- 2.2 Cloud Security
- 2.2.1 Secure Data Centers
- 2.2.2 Secure Data Storage
- 2.2.3 Secure Data Transfers
- 2.2.4 Secure Network
- 2.2.5 Encryption
- 2.2.6 Backups
- 2.1 onPhase Forms Application Security
People and Policies
Security Policies
We centralize all our EC2 security across accounts using standard IAM policies.
We implement fine-grained security controls and follow the principles of least privilege and need to know.
Multi-factor authentication is required for all AWS account access.
For details on our security polices, security score, and audit results, please email support@onphase.com and ask for an invitation to our UpGuard Cyber Risk trust page. You will be prompted to sign a non-disclosure agreement and then you will received access to further details and documentation.
Software
onPhase Forms Application Security
Access and Authentication
Default security provider with password salt and hashing.
Security provider integration with/delegation to third parties, including SAML 2.0/SSO and LDAP/AD for centralized security.
Access may be monitored and revoked.
Password minimum length requirement and ability to set strength requirement per tenant.
Authorization
Design Time
Forms/Workflows are owned by a designer who can administer access.
Workflow administration may be granted to any other user/role to give full access to the audit trail and the ability to modify/abort running instances.
Read-only access to a workflow instance’s audit trail may be granted to all participants or a to a custom set of users/roles.
Other users may be granted the publisher role allowing them to administer form/workflow access and deploy to production.
Only the designer/owner or publisher may deploy the form/workflow to production.
End-User/Run Time
The designer/owner of a form/workflow may designate who may use the form/workflow with options for:
Anyone (login not required)
Authenticated Users (login required)
Designer/Owner Only
Custom set of users or roles only
The designer/owner of a form/workflow may designate a user(s)/role(s) who may view individual submissions or may edit individual submissions.
Accountability
All workflow activity is logged to an audit trail with access controlled by the designer/owner.
All system access/authentication events are logged.
Integration
Secure integration with third-party cloud services. Support for OAuth tokens and specification of service credentials at the tenant and service level where applicable.
Cloud Security
We understand that your data is essential to your business operations and to our own success. We use a multi-layered approach to secure your information, constantly monitoring and improving our processes, services, and systems.
Secure Data Centers
Our cloud services are deployed on Amazon Web Services (AWS) infrastructure.
AWS provides us with first-class data centers that are designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018.
Production servers reside in a number of availability zones in AWS's Northern Virginia region (us-east-1).
Backups and redundant servers are located in AWS's Oregon region (us-west-2) for disaster recovery purposes.
We do not replicate our servers internationally.
We do not operate in AWS's GovCloud region.
Secure Data Storage
All our data at rest, including our databases, backups, read replicas and snapshots, are encrypted before being stored.
Since we leverage Amazon's Relational Database Service (RDS), our employees have no direct access to the actual database servers, which are fully managed by AWS.
Secure Data Transfers
Connection to our environment is done via TLS cryptographic protocols, ensuring that our users have a secure connection from their browsers to our services.
Individual user sessions are uniquely identified and verified on each transaction using a unique token created at login.
Secure Network
Our servers are deployed in a secure Virtual Private Cloud (VPC) network divided into a public and a private subnet.
All server processing and data storage takes place in private subnets with no direct access to the Internet.
We also have strict firewall policies between the public and private subnets, making sure that traffic can flow only in specific directions to and from specific ports, including between the application and database tiers.
All traffic flowing out from our VPC goes through NAT instances which protect internal IP addresses from external hosts.
Access to internal servers is logged and managed by AWS Systems Manager/Session Manager, and sessions are encrypted using AWS Key Management Service (KMS).
Our servers receive daily security patches to make sure they remain secure from new exploits.
Encryption
All data and app access are encrypted via TLS (encryption in motion).
All data at rest is encrypted (AES 256).
All passwords salted and hashed.
Backups
Backups are encrypted and performed daily remaining available for up to 35 days.