OwnBackup instances and storage are available on both Azure and AWS Cloud Service Providers. The services are available on Azure or AWS in the USA, Canada, the European Union, and Australia. AWS services are also available in the UK
‍
Azure and AWS are top-tier, secure facilities that hold the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, and more. These data centers are protected by the strictest security controls with physical access to the servers restricted to authorized personnel only.

OwnBackup’s services run on our own regionally segregated Virtual Network (VNet) inside Azure or in an AWS Virtual Private Cloud (VPC) in order to further isolate our networks in accordance with network and security best practices.

OwnBackup is a Salesforce.com authorized ISVForce partner and undergoes annual security assessments from salesforce.com in order to maintain this status.

OwnBackup’s security features ensure that data is always encrypted: both in transit and at rest. Our state of the art security measures include TLS 1.2 on every page in order to ensure all traffic to and from the website is always encrypted. Additionally, while at rest, the OwnBackup platform uses AES 256bit encryption and community-adopted oAuth authentication protocol to ensure passwords are never stored on our servers.

OwnBackup’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is  backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.

OwnBackup uses CSP object storage to store encrypted customer data across multiple availability-zones.

For customer data stored on object storage, OwnBackup uses object versioning with automatic aging to support compliance with OwnBackup’s disaster recovery and backup policies. For these objects, OwnBackup’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).

Any required recovery of a compute instance is accomplished by rebuilding the instance based on OwnBackup’s configuration management automation.

OwnBackup's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 4-hour recovery time objective (RTO). The DRP is exercised twice a year to measure recovery effectiveness.

OwnBackup products are certified under ISO/IEC 27001:2013 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System).

OwnBackup undergoes annual SOC2 Type II audits under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.

OwnBackup utilizes global CSP regions for its product computing and storage. AWS and Azure have several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.

Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application and between OwnBackup and the third-party data source (e.g., Salesforce).

Customer administrators can provision and deprovision users and associated access as necessary.

Role-based access controls to enable customers to manage multi-org permissions.

Customer administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the customer’s administrator logged into the product, as well as through the OwnBackup API.

Access to OwnBackup products can be restricted by source IP address.

Customers can enable multi-factor authentication for accessing OwnBackup accounts utilizing time-based one-time passwords.

Customers can enable single sign-on via SAML 2.0 identity providers.

Customers can enable customizable password policies to help align OwnBackup passwords to corporate policies.

OwnBackup systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.

An intrusion detection system (IDS) is used to monitor network activity and alert OwnBackup of suspicious behavior.

Web application firewalls (WAFs) are used for all public web services.

OwnBackup logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.

OwnBackup utilizes security information and event management (SIEM) systems providing continuous security analysis of the networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by OwnBackup’s security and operations staff.

OwnBackup’s incident response team monitors the security@ownbackup.com alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.

Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single OwnBackup account.

Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.

OwnBackup performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.

On a semi-annual basis, OwnBackup hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).

Vulnerability assessment results are incorporated into the OwnBackup software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the OwnBackup internal ticket system for tracking through resolution.

In the event of a potential security breach, the OwnBackup Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, OwnBackup will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

OwnBackup has a dedicated security team with over 100 years of combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM, CISSP, and ISO 27001 Lead Auditors.

OwnBackup provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). OwnBackup also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.

OwnBackup performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.

OwnBackup products utilize CSP network controls to restrict network ingress and egress.

Stateful security groups are employed to limit network ingress and egress to authorized endpoints.

A multi-tier network architecture is used, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) or Azure Virtual Networks (VNets), leveraging private, DMZs, and untrusted zones within the CSP infrastructure.

In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.

OwnBackup offers the following options for encryption of data at rest:

Standard Offering

• Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2.

• Envelope encryption is utilized such that the master key never leaves the Hardware Security Module (HSM).
• Encryption keys are rotated no less than every two years.

Bring Your Own Key (BYOK)

• Data is encrypted in a dedicated object storage container with a customer-provided master encryption key (CMK).

• BYOK allows for future archiving of the key and rotating it with another master encryption key.
• The customer can revoke master encryption keys, resulting in the immediate inaccessibility of the data.

Bring Your Own Key Management System (KMS) Option (available on AWS only)

• Encryption keys are created in the customer’s own, separately purchased account utilizing AWS KMS.

• The customer defines the encryption key policy that permits the customer’s SaaS Service account on AWS to access the key from the customer's own AWS KMS.
• Data is encrypted in a dedicated object storage container managed by OwnBackup and configured to use the customer’s encryption key.
• The customer may instantly revoke access to the encrypted data by revoking OwnBackup’s access to the encryption key, without interacting with OwnBackup.
• OwnBackup employees have no access to the encryption keys at any time and do not access the KMS directly.
• All key usage activities are logged in the customer’s KMS, including key retrieval by the dedicated object storage.

For data in transit, traffic between OwnBackup and Salesforce APIs is sent over HTTPS utilizing TLS 1.2+ and OAuth 2.0.