OwnBackup takes privacy and security very seriously. Our platform was built from the ground up with security in mind utilizing leading information security best practices.

MOVEit Transfer services

July 28th, 2023

The OwnBackup security team has evaluated the MOVEit Transfer services and relatedvulnerabilities CVE-2023-34362, CVE-2023-35708, CVE-2023-36934, CVE-2023-36932,CVE-2023-36933. OwnBackup does not use the MOVEit Transfer solution within its enterpriseor segregated product environments.

Investigations with critical sub-processors have been initiated and there are no impactedsub-processors.

We continue to monitor the situation and will provide an update if and when appropriate.

OwnBackup implements best practices and industry standards to achieve compliance with numerous leading information security certifications and authorizations. View our technical and regulatory certifications below.

SOC 2 Type 2

OwnBackup receives an annual SSAE 18 SOC 2 Type II attestation report to provide assurance to our customers and partners that OwnBackup uses secure systems and processes to protect their data.

OwnBackup's latest SOC 2 Type II report is available upon request under NDA.

SOC 1 Type 2

OwnBackup receives a SSAE 21 SOC 1 Type II attestation report to provide assurance to our customers and partners that OwnBackup implements effective internal controls over financial reporting.

OwnBackup's latest SOC 1 Type II report is available upon request under NDA.

Cyber Essentials UK

OwnBackup is Cyber Essentials certified to comply with UK government requirements for implementing the Cyber Essentials Schema of security controls to support our UK government clients that handle personal information.

OwnBackup's Cyber Essentials certification can be downloaded here.

EU General Data Protection Regulation (GDPR)

If you are capturing and storing personal information of European Citizens, your company may be held liable under the GDPR, an EU data protection and privacy regulation. OwnBackup products are designed to support our customer's compliance obligations with data privacy regulations, including GDPR requirements.

More information on OwnBackup’s GDPR compliance capabilities can be found here.

Hébergeur de Données de Santé (HDS)

The HDS certification requires cloud service providers that host personal data governed by French laws to implement strong security measures to protect health data.

OwnBackup’s HDS certification demonstrates our commitment to securing and protecting the confidentiality of personal health data.

Additional information on OwnBackup’s HDS program can be found here.

HDS Certification (English)

HDS Certification (French)

FedRAMP Authorized

OwnBackup achieved FedRAMP authorization for its OwnBackup Government Cloud solution. With this authorization, OwnBackup is now listed on the FedRAMP Marketplace, and is eligible to provide data protection services to all U.S. Federal Government customers. Learn more


OwnBackup is ISO 27001:2013 and ISO 27701:2019 certified, demonstrating OwnBackup has implemented best-practice information security and privacy processes to securely provide services to our customers.

ISO 27001:2013 Certificate

Information Security Management System (ISMS) Download here.

ISO 27701:2019 Certificate

Privacy Information Management System (PIMS) Download here.

Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health (HITECH)

To support the compliance programs for our Healthcare clients, OwnBackup extended the SOC 2 Type 2 audit scope to include applicable HIPAA/HITECH controls to demonstrate adequate safeguards are in place to protect healthcare data. OwnBackup’s latest HIPAA/HITECH report is available upon request under NDA.

Quality Management System (QMS)

OwnBackup’s QMS ensures our products are designed, developed, and maintained using industry-leading infrastructure, processes, and tools to deliver the highest levels of quality and ensure security of the product environment storing our customer’s data.

OwnBackup mapped our QMS against applicable 21 CFR Part 11 (“GxP”) and EudraLex Volume 4, Annex 11 (“GmP”) controls to externally validated controls within our ISO 27001 certification and SOC 2 Type II report to support the compliance program of our Life Sciences clients.

Additional information for OwnBackup’s support for GxP and GmP compliance can be found here.

Professional Membership

Information Systems Audit and Control Association (ISACA)

OwnBackup security personnel are part of the ISACA network, one of the world’s largest global organizations for information security professionals, and frequently participate in knowledge sharing to provide insight into emerging security threats and help advance the security field.

New Jersey Cybersecurity and Communications Integration Cell (NJCCIC)

OwnBackup is a member of the NJCCIC and receives cyber alerts and advisories, cyber tips and best practices for managing cyber risk. The NJCCIC provides members with cyber information sharing, cyber threat analysis, and incident reporting services to promote statewide awareness of cyber threats and adoption of best practices.

International Information System Security Certification Consortium (ISC2)

OwnBackup security personnel hold numerous ISC2 security certifications, including the Certified Information System Security Professional (CISSP), and are active members in the ISC2 community. ISC2 is a leading organization specializing in training and certifications for cybersecurity professionals.

OwnBackup is committed to protecting our clients when it comes to privacy and security. Our world-class secure data operations platform was built from the ground up utilizing leading information security best practices.

For details on our security controls download our security controls document.


OwnBackup instances and storage are available on both Azure and AWS Cloud Service Providers. The services are available on Azure or AWS in the USA, Canada, the European Union, and Australia. AWS services are also available in the UK

Azure and AWS are top-tier, secure facilities that hold the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, and more. These data centers are protected by the strictest security controls with physical access to the servers restricted to authorized personnel only.

OwnBackup’s services run on our own regionally segregated Virtual Network (VNet) inside Azure or in an AWS Virtual Private Cloud (VPC) in order to further isolate our networks in accordance with network and security best practices.

Enterprise-Grade Security

OwnBackup is a authorized ISVForce partner and undergoes annual security assessments from in order to maintain this status.

OwnBackup’s security features ensure that data is always encrypted: both in transit and at rest. Our state of the art security measures include TLS 1.2 on every page in order to ensure all traffic to and from the website is always encrypted. Additionally, while at rest, the OwnBackup platform uses AES 256bit encryption and community-adopted oAuth authentication protocol to ensure passwords are never stored on our servers.

Disaster Recovery

OwnBackup’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is  backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.

OwnBackup uses CSP object storage to store encrypted customer data across multiple availability-zones.

For customer data stored on object storage, OwnBackup uses object versioning with automatic aging to support compliance with OwnBackup’s disaster recovery and backup policies. For these objects, OwnBackup’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).

Any required recovery of a compute instance is accomplished by rebuilding the instance based on OwnBackup’s configuration management automation.

OwnBackup's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 4-hour recovery time objective (RTO). The DRP is exercised twice a year to measure recovery effectiveness.

Audits and Certifications

OwnBackup products are certified under ISO/IEC 27001:2013 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System).

OwnBackup undergoes annual SOC2 Type II audits under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.

OwnBackup utilizes global CSP regions for its product computing and storage. AWS and Azure have several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.

Web Application Security Controls

Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application and between OwnBackup and the third-party data source (e.g., Salesforce).

Customer administrators can provision and deprovision users and associated access as necessary.

Role-based access controls to enable customers to manage multi-org permissions.

Customer administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the customer’s administrator logged into the product, as well as through the OwnBackup API.

Access to OwnBackup products can be restricted by source IP address.

Customers can enable multi-factor authentication for accessing OwnBackup accounts utilizing time-based one-time passwords.

Customers can enable single sign-on via SAML 2.0 identity providers.

Customers can enable customizable password policies to help align OwnBackup passwords to corporate policies.

Monitoring and Auditing

OwnBackup systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.

An intrusion detection system (IDS) is used to monitor network activity and alert OwnBackup of suspicious behavior.

Web application firewalls (WAFs) are used for all public web services.

OwnBackup logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.

OwnBackup utilizes security information and event management (SIEM) systems providing continuous security analysis of the networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by OwnBackup’s security and operations staff.

OwnBackup’s incident response team monitors the alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.

Account Isolation

Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single OwnBackup account.

Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.

Vulnerability Management

OwnBackup performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.

On a semi-annual basis, OwnBackup hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (

Vulnerability assessment results are incorporated into the OwnBackup software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the OwnBackup internal ticket system for tracking through resolution.

Incident Response

In the event of a potential security breach, the OwnBackup Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, OwnBackup will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

Dedicated Security Team

OwnBackup has a dedicated security team with over 100 years of combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM, CISSP, and ISO 27001 Lead Auditors.

Privacy and Data Protection

OwnBackup provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). OwnBackup also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.

Background Checks

OwnBackup performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.


OwnBackup products utilize CSP network controls to restrict network ingress and egress.

Stateful security groups are employed to limit network ingress and egress to authorized endpoints.

A multi-tier network architecture is used, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) or Azure Virtual Networks (VNets), leveraging private, DMZs, and untrusted zones within the CSP infrastructure.

In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.


OwnBackup offers the following options for encryption of data at rest:

Standard Offering

  • Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2.

  • Envelope encryption is utilized such that the master key never leaves the Hardware Security Module (HSM).
  • Encryption keys are rotated no less than every two years.

Bring Your Own Key (BYOK)

  • Data is encrypted in a dedicated object storage container with a customer-provided master encryption key (CMK).

  • BYOK allows for future archiving of the key and rotating it with another master encryption key.
  • The customer can revoke master encryption keys, resulting in the immediate inaccessibility of the data.

Bring Your Own Key Management System (KMS) Option (available on AWS only)

  • Encryption keys are created in the customer’s own, separately purchased account utilizing AWS KMS.

  • The customer defines the encryption key policy that permits the customer’s SaaS Service account on AWS to access the key from the customer's own AWS KMS.
  • Data is encrypted in a dedicated object storage container managed by OwnBackup and configured to use the customer’s encryption key.
  • The customer may instantly revoke access to the encrypted data by revoking OwnBackup’s access to the encryption key, without interacting with OwnBackup.
  • OwnBackup employees have no access to the encryption keys at any time and do not access the KMS directly.
  • All key usage activities are logged in the customer’s KMS, including key retrieval by the dedicated object storage.

For data in transit, traffic between OwnBackup and Salesforce APIs is sent over HTTPS utilizing TLS 1.2+ and OAuth 2.0.

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo