Our product is designed with security in mind. We make sure security is a core component at every stage of the development lifecycle. Right from the initial planning stage, new features and projects are assessed in terms of their impact on privacy and security. At the design stage, low-level security issues are addressed and approved by the CTO. During development, our programmers abide by programming best practices, such as OWASP. Finally, before every release, our QA team carries out security testing and vulnerability scanning.
We’ve designed the application with security features that allow you to protect your account and enforce your organizational security policies. We provide custom security settings and tools to prevent unauthorized access to your data. With features like account lockout, password policies, and session settings, you can secure your account to the highest degree possible.
Protecting the confidentiality, integrity and availability of data processed through our services is a fundamental objective of the OnceHub security program. We employ strong technical safeguards to ensure that data is protected and the risk of exposure is minimized.
All data and backups are encrypted at rest using the Transparent Data Encryption service (TDE) provided by Microsoft Azure. TDE uses strong cyphers (AES 256) and securely managed encryption keys to ensure that in the unlikely event that data is compromised, it still cannot be deciphered.
OnceHub applications are “HTTPS only.” All data in transit is encrypted using TLS 1.0 and higher (depending on the client browser). In cases where HTTP is used, visitors are automatically redirected to a secure connection. These safeguards ensure that customer data is always encrypted in transit.
OnceHub offers a secure server-to-server connection to the major calendar platforms, including On-premise Exchange, Exchange online, Office 365, Google calendar and iCloud. We only access the necessary calendar data required to provide real-time availability during scheduling. Official APIs are always used to read data in real-time. Busy time from your calendar is cached for performance, but only saves event start and end times. This ensures that sensitive event details (such as Subject and Attendees) never reach our database.
Our integration with Google and Office 365 calendar uses the secure OAuth 2.0 authentication protocol. For calendar vendors that do not use modern connection standards, your credentials are required to authenticate the connection. In these cases, additional column level encryption is applied to sensitive credentials stored on our database. We use symmetric encryption and hashing (AES and SHA2) with 256-bit keys to protect the connection details and passwords stored on our database.
OnceHub applications are hosted on the Microsoft Azure Cloud platform and are maintained with 99.999% uptime. We use a combination of Windows and Linux-based virtual machines as well as Azure services to offer high performance and availability. Our infrastructure is regularly updated to keep up with security patches and firmware improvements. Third-party security experts perform periodic penetration testing to ensure our systems are suitably hardened against potential threats.
Your data is protected at the source, with physical access that is tightly controlled and secured by Microsoft. Azure is deployed in Microsoft regional datacenters, which are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communication networks. Defense-in-depth security is in use throughout every area of the facility, including each physical server unit.
At OnceHub, we use Microsoft Azure’s artificial intelligence and machine learning algorithms to protect our system. Using the Azure Security Center, we collect and correlate log data from multiple sources, including our Windows and Linux-based virtual machines, cloud systems, and Azure services. Each item in our database is audited and our log data is continuously being analyzed for threats and vulnerabilities using advanced analytics and the Microsoft Intelligent Security Graph.
We are immediately notified if an issue is detected. This allows us to remediate vulnerabilities before they can be exploited, limit our exposure to threats, and swiftly respond to any attacks. This, combined with our log monitoring processes, allows us to mitigate security issues before they can affect our users.
Security controls are only as strong as the people who implement them. We are committed to employing competent individuals who possess the skills required to successfully implement the company’s security objectives. We have strong policies and recruitment processes in place, and we continuously strive to improve through internal audits and process enhancements.
Our employees undergo a rigorous screening process to ensure they are suitable individuals to provide our service and to access customer data. Background checks are performed prior to hiring, and every new employee is required to sign confidentiality and information security policies upon joining the organization. All employees are required to undergo mandatory Security and Privacy training on an ongoing basis. Access to data is approved by a manager on a case-by-case basis, and in case of employment termination, we execute policies that revoke access quickly and effectively.