Security

Security is a top priority at Onit.

We've implemented some of the most advanced technology to make collaborating on projects secure and accessible only by the authorized participants.

At Onit, we strive to provide a highly secure service. Our data is secured using bank-grade 256-bit Secure Socket Layer (SSL) encryption and is stored in an enterprise-class, secured hosting environment that is backed up daily. All data within Onit remains the property of the project owner and can not be accessed by any other user.

Here are some additional security measures we have taken to ensure your data is protected in Onit.

Physical Security

  • SSAE-16 Type II SOC II datacenter (hosted at Rackspace)
  • Dedicated servers
  • Redundant power connections with standby generators
  • Multiple redundant network connections
  • Biometric scanning for controlled data center access
  • Physical security audited by an independent firm
  • 24/7 video monitoring

Application Security

  • Custom-hardened Unix kernels
  • Managed virtual private cloud
  • Managed continuous firewall monitoring

Policies and Procedures

  • By policy, employees prohibited from accessing private data
  • Onit claims no ownership of your data
  • 24/7 monitoring and escalation
  • All users must be verified by email

System Security

  • System installation using hardened, patched OS
  • System patching configured to provide ongoing protection from exploits
  • Dedicated firewall and VPN services to help block unauthorized system access
  • Data protection with managed backup solutions
  • Distributed Denial of Service (DDoS) mitigation services

Operational Security

  • ISO17799-based policies and procedures, regularly reviewed as part of SAS 70 Type II audit process
  • Encryption for all administrative traffic (HTTPS, SFTP, SSH)
  • Encryption for all customer traffic (HTTPS)
  • Datacenter employees trained on documented information security and privacy procedures
  • Access to confidential information restricted to authorized personnel only, according to documented processes
  • Systems access logged and tracked for auditing purposes
  • Secure document-destruction policies for all sensitive information
  • Fully documented change-management procedures
  • Independently audited disaster recovery and business continuity plans