Own Company takes privacy and security very seriously. Our platform was built from the ground up with security in mind utilizing leading information security best practices.
Own is not affected by the global issue caused by the CrowdStrike Falcon update that is affecting Microsoft Windows Services. Own does not utilize this combination in the delivery or support of its production environments.
The Own security team evaluated the regreSSHion CVE-2024-6387 for potential impacts and acted quickly to patch any systems affected by the regreSSHion CVE. All systems were immediately mitigated/safeguarded and patched as soon as patches became available. Patching will continue for any remaining systems as further patches become available. In the interim, all remaining affected systems have been otherwise mitigated/safeguarded.
Own operations are geographically redundant and designed for resiliency. We have not experienced and do not currently anticipate any significant disruption to our operations as a result of the hostilities in Israel. You may find up-to-date information on any service disruptions at https://status.owndata.com/
Own implements best practices and industry standards to achieve compliance with numerous leading information security certifications and authorizations. View our technical and regulatory certifications below.
Own receives an annual SSAE 18 SOC 2 Type II attestation report to provide assurance to our customers and partners that Own uses secure systems and processes to protect their data.
Own's latest SOC 2 Type II report is available upon request under NDA.
Own receives a SSAE 21 SOC 1 Type II attestation report to provide assurance to our customers and partners that Own implements effective internal controls over financial reporting.
Own's latest SOC 1 Type II report is available upon request under NDA.
Own achieved FedRAMP authorization for its Own Government Cloud solution. With this authorization, Own is now listed on the FedRAMP Marketplace, and is eligible to provide data protection services to all U.S. Federal Government customers. Learn more
Own is ISO 27001:2013 and ISO 27701:2019 certified, demonstrating Own has implemented best-practice information security and privacy processes to securely provide services to our customers.
The HDS certification requires cloud service providers that host personal data governed by French laws to implement strong security measures to protect health data.
Own's HDS certification demonstrates our commitment to securing and protecting the confidentiality of personal health data.
Additional information on Own’s HDS program can be found here.
Own is Cyber Essentials certified to comply with UK government requirements for implementing the Cyber Essentials Schema of security controls to support our UK government clients that handle personal information.
Own's Cyber Essentials certification can be downloaded here.
If you are capturing and storing personal information of European Citizens, your company may be held liable under the GDPR, an EU data protection and privacy regulation. Own products are designed to support our customer's compliance obligations with data privacy regulations, including GDPR requirements.
More information on Own’s GDPR compliance capabilities can be found here.
Own is registered under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, demonstrating adequate data protection controls are implemented for cross-border transfers of personal data in compliance with EU law.
Own’s EU-U.S. DPF, Swiss-U.S. DPF and UK Extension to the EU-U.S. registration details can be found here.
To support the compliance programs for our Healthcare clients, Own extended the SOC 2 Type 2 audit scope to include applicable HIPAA/HITECH controls to demonstrate adequate safeguards are in place to protect healthcare data. Own’s latest HIPAA/HITECH report is available upon request under NDA.
Own’s QMS ensures our products are designed, developed, and maintained using industry-leading infrastructure, processes, and tools to deliver the highest levels of quality and ensure security of the product environment storing our customer’s data.
Own mapped our QMS against applicable 21 CFR Part 11 (“GxP”) and EudraLex Volume 4, Annex 11 (“GmP”) controls to externally validated controls within our ISO 27001 certification and SOC 2 Type II report to support the compliance program of our Life Sciences clients.
Additional information for Own’s support for GxP and GmP compliance can be found here.
Our customers trust us with their most valuable asset-their data. We don’t take that responsibility lightly, which is why we are always looking to enhance our commitment to security. Built upon existing Cloud Security Alliance programs, the Trusted Cloud Provider program demonstrates an organization’s commitment to holistic security and serves as a reference point for customers looking to identify cloud providers aligned with their security requirements.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.
Own security personnel are part of the ISACA network, one of the world’s largest global organizations for information security professionals, and frequently participate in knowledge sharing to provide insight into emerging security threats and help advance the security field.
Own security personnel hold numerous ISC2 security certifications, including the Certified Information System Security Professional (CISSP), and are active members in the ISC2 community. ISC2 is a leading organization specializing in training and certifications for cybersecurity professionals.
Own is a member of the NJCCIC and receives cyber alerts and advisories, cyber tips and best practices for managing cyber risk. The NJCCIC provides members with cyber information sharing, cyber threat analysis, and incident reporting services to promote statewide awareness of cyber threats and adoption of best practices.
Own is committed to protecting our clients when it comes to privacy and security. Our world-class secure data operations platform was built from the ground up utilizing leading information security best practices.
For details on our security controls download our security controls document.
Visit the Own Security Portal for additional information
Own instances and storage are available on both AWS and Azure. The service is hosted on the AWS cloud platform in the USA, Canada, UK, the European Union, and Australia. On Azure, the service is hosted in the USA, Canada, European Union, and Australia.
Azure and AWS are top-tier, secure facilities that hold the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2, and more. These data centers are protected by the strictest security controls and physical access to the servers is restricted to authorized personnel only.
Own’s services run on our own VPC (Virtual Private Cloud) inside AWS or an Azure Virtual Network inside Azure in order to further isolate our networks in accordance with network and security best practices.
Own is a Salesforce.com authorized ISVForce partner and undergoes annual security assessments from salesforce.com in order to maintain this status.
Own’s security features ensure that data is always encrypted: both in transit and at rest. Our state of the art security measures include TLS 1.2 on every page in order to ensure all traffic to and from the website is always encrypted. Additionally, while at rest, the Own platform uses AES 256bit encryption and community-adopted oAuth authentication protocol to ensure passwords are never stored on our servers.
Own’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.
Own uses CSP object storage to store encrypted customer data across multiple availability-zones. For customer data stored on object storage, Own uses object versioning with automatic aging to support compliance with Own’s disaster recovery and backup policies. For these objects, Own’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).
Any required recovery of a compute instance is accomplished by rebuilding the instance based on Own’s configuration management automation.
Own's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 4-hour recovery time objective (RTO). The DRP is exercised twice a year to measure recovery effectiveness.
Own products are certified under ISO/IEC 27001:2013 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System).
Own undergoes annual SOC2 Type II audits under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.
Own utilizes global CSP regions for its product computing and storage. AWS and Azure have several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.
Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application and between Own and the third-party data source (e.g., Salesforce).
Customer administrators can provision and deprovision users and associated access as necessary.
Role-based access controls to enable customers to manage multi-org permissions.
Customer administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the customer’s administrator logged into the product, as well as through the Own API.
Access to Own products can be restricted by source IP address.
Customers can enable multi-factor authentication for accessing Own accounts utilizing time-based one-time passwords
Customers can enable single sign-on via SAML 2.0 identity providers.
Customers can enable customizable password policies to help align Own passwords to corporate policies.
Own systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.
An intrusion detection system (IDS) is used to monitor network activity and alert Own of suspicious behavior.
Web application firewalls (WAFs) are used for all public web services.
Own logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.
Own utilizes security information and event management (SIEM) systems providing continuous security analysis of the networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by Own’s security and operations staff
Own’s incident response team monitors the security@owndata.com alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.
Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single Own account.
Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.
Own performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.
On a semi-annual basis, Own hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).
Vulnerability assessment results are incorporated into the Own software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the Own internal ticket system for tracking through resolution.
In the event of a potential security breach, the Own Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, Own will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.
Own has a dedicated security team with over 100 years of combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM, CISSP, and ISO 27001 Lead Auditors.
Own provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Own also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.
Own performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.
Own products utilize CSP network controls to restrict network ingress and egress.
Stateful security groups are employed to limit network ingress and egress to authorized endpoints.
A multi-tier network architecture is used, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) or Azure Virtual Networks (VNets), leveraging private, DMZs, and untrusted zones within the CSP infrastructure.
In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.
Own offers the following options for encryption of data at rest:
Standard Offering
Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2.
Bring Your Own Key (BYOK)
Data is encrypted in a dedicated object storage container with a customer-provided master encryption key (CMK).
Bring Your Own Key Management System (BYOKMS) for AWS users or Bring Your Own Key Vault (BYOKV) for Azure users
Encryption keys are created in the customer’s own, separately purchased account utilizing AWS KMS or Azure key vault.
For data in transit, traffic between Own and Salesforce APIs is sent over HTTPS utilizing TLS 1.2+ and OAuth 2.0.