Security is our highest priority at Oslash. We have developed a thorough set of practices and policies to help ensure your data is always safe and secure.
Vulnerability Assessment and Penetration Testing
• We have an in-house security team which uses industry leading practices and tools to conduct manual and automated security assessments.
• We employ both static application security testing and dynamic application security testing which is incorporated into our continuous integration / continuous deployment pipeline.
• We will leverage CERT-IN certified auditors to do periodic external testing and audits.
• Our developers are trained with specific attention towards security. Our automated and manual code review processes look for any code that could potentially violate security policies. We have also instituted a standardized security stack that complies with software composition analysis tools.
• We also have an internal SLA that stipulates deadlines for fixing vulnerabilities.
• We extensively track key activities related but not limited to billing, security, access, and team management with audit logs.
• Data encryption - We use strong encryption standards to protect data both in transit between Oslash clients and the cloud and at rest in the production network.
• Data in transit - All interactions use TLS with 2048-bit digital signatures, 128-bit AES encryption, and the latest recommended secure cipher suites.
• Data at rest - Depending on its sensitivity classification, customer data is also AES-256-GCM encrypted on the server-side before storage.
• All customer data is stored in databases on Amazon RDS, which are configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only within the private cloud. We have also instituted per-service access protection and isolation of data.
• We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data. We do not distribute actual customer data for internal testing or validation purposes.
• We strongly encourage and recommend using variable links feature for any data like authentication tokens and secrets that users do not want to be synced to Oslash servers.
• We have set up a role-based access process to govern access to any customer data required for customer support (or otherwise). This process is audited and recorded and includes a human arbitration done by a core team. Consisting of the founders and VP of Engineering, This team validates the requirement hypothesis and ensures data is obfuscated and sanitized before communicating back to customer support or engineering. Customer data classified as sensitive is not accessible by any party except the customer.
• We at Oslash are committed to our user's data and privacy.
• We blend security at multiple steps within our products with state of the art technology to ensure our systems maintain strong security measures.
• The overall data and privacy security design allow us to defend our systems from various attacks.
• If you are a security enthusiast or a researcher and you have found a possible security vulnerability on Oslash platform, we encourage you to report the issue to us responsibly
• You can submit a bug report to us at [email protected] with detailed steps required to reproduce the vulnerability
• We shall put the best of our efforts to investigate and fix the legitimate issues in a reasonable time frame, meanwhile, you must not disclose it publicly.
Incident and Change Management
• We have deployed mature processes around Change Management which enables us to release thoroughly tested features for you both reliably and securely enabling you to enjoy the Oslash experience with maximum assurance and security.
• We have a very aggressive stance on Incident Management on both Systems downtime and Security and Network Operations Center and an Information Security Management System in place which quickly reacts, remediates or escalates any Incidents arising out of planned or unplanned changes.
• Oslash will never rent or sell your information or data to anyone. We never use or transfer your data for serving ads, including retargeting, personalized, or interest-based advertising.
• We will never provide any part of your information to anyone unless explicitly agreed by you.
• To manage employee access, we have implemented an audited security policy (IAM) that includes access control, a secure password policy, BYOD policies, and secure network access following zero trust network policies wherever applicable.
• All internal services require single sign-on, with enforced MFA.
• All SSH-based access has a mandatory key-file driven policy that requires storing keys securely, rotating them frequently, and logging all access to them.
Attack Prevention and Mitigation
• We make use of advanced web application firewall protection on our load balancers which, along with the elastic scaling capacity of our cloud, mitigate attacks at the application layer.
Compliance and Regulations - Infrastructure Security
• We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS, as a platform provider, has a number of security and privacy focussed features, which we leverage wherever applicable.Our servers run on stable, regularly patched, versions of Amazon Linux with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.