April 13, 2022
OwnBackup is aware of the recently announced Remote Procedure Call Runtime Remote Code Execution vulnerability affecting Microsoft Windows Operating System (CVE-2022-26809). OwnBackup does not utilize the affected operating system, and this vulnerability does not directly affect OwnBackup’s services. Additional validation has been conducted leveraging vulnerability management tools that have added detection capabilities for these vulnerabilities.
April 1, 2022
OwnBackup is aware of the recently announced Spring4Shell RCE vulnerability CVE-2022-22965, as well as CVE-2022-22963 and CVE-2022-22950 announced earlier this week.
While the Spring library is common in the Java programming language, the OwnBackup services do not utilize the Spring framework.
Additional validation has been conducted leveraging vulnerability management tools that have added detection capabilities for these services and vulnerabilities.
March 22nd @ 12:25PM UTC
The OwnBackup security team is aware of the recent Okta security incident and has confirmed no impact.
OwnBackup maintains multiple independent authentication and authorization controls that do not rely on a single technology or provider to ensure the security of customer environments in case of such events.
We continue to monitor the situation closely and will provide further updates if and when there is anything significant to report.
Last updated: December 28th @ 8:25PM UTC. CVE-2021-44832
The OwnBackup services do not directly utilize Java. However, we rely on a small number of third-party services that utilize Log4j. Given the architecture, usage of these services, in addition to the non-default preconditions required for this CVE, we currently do not believe there is any risk to customer data.
We are in active contact with these service providers and monitor their progress for further mitigation or updates to their overall status as a precautionary measure.
We will provide updates if and when there is anything significant to report.
Previous Update: December 22nd @ 7:00PM UTC.
OwnBackup has confirmed that all affected third-party services related to the delivery of the OwnBackup platform were updated to remediate CVE-2021-44228, CVE-2021- 45046, and CVE-2021-45105 were applicable, as of December 18th at 0:00 UTC.
Previous Update: December 20th @ 3:45PM UTC.
The OwnBackup security team continues to monitor the changes to the Log4j vulnerability situation, including CVE-2021-44228, CVE-2021- 45046, and CVE-2021-45105.. To date, as a result of our ongoing investigations, we have determined that this vulnerability does not directly affect OwnBackup’s services.
Previous Update: December 17th @ 7:15PM UTC.
The OwnBackup security team continues to monitor the changes to the Log4j vulnerability situation, including CVE-2021-44228, CVE-2021- 45046. To date, as a result of our ongoing investigations, we have determined that this vulnerability does not directly affect OwnBackup’s services. As a precautionary measure, we have deployed additional controls to our public-facing endpoints.
While the Log4j library is a common library in the Java programming language, the OwnBackup services do not directly utilize Java. However, we do rely on a small number of third-party services that utilize Log4j. Given the architecture and usage of these services, we currently do not believe there is any risk to customer data. We are in active contact with these service providers and monitor their progress for further mitigation or updates to their overall status.
OwnBackup undergoes annual SSAE-18 SOC 2 Type II certification to provide assurance to our customers and partners that OwnBackup uses secure systems and processes to protect their data.
OwnBackup's latest SOC 2 Type II report is available upon request under NDA.
OwnBackup is Cyber Essentials certified to comply with UK government requirements for implementing the Cyber Essentials Schema of security controls to support our UK government clients that handle personal information.
OwnBackup's Cyber Essentials certification can be downloaded here.
If you are capturing and storing personal information of European Citizens, your company may be held liable under the GDPR, an EU data protection and privacy regulation. OwnBackup products are designed to support our customer's compliance obligations with data privacy regulations, including GDPR requirements.
More information on OwnBackup’s GDPR compliance capabilities can be found here.
OwnBackup is ISO 27001:2013 and ISO 27701:2019 certified, demonstrating OwnBackup has implemented best-practice information security and privacy processes to securely provide services to our customers.
To support the compliance programs for our Healthcare clients, OwnBackup is pursuing an independent HIPAA compliance audit to demonstrate that adequate safeguards are in place to protect healthcare data.
To achieve audit efficiency, OwnBackup is extending the SOC 2 audit scope to include applicable HIPAA controls. The combined audit will be conducted during the 2022 audit cycle.
OwnBackup’s QMS ensures our products are designed, developed, and maintained using industry-leading infrastructure, processes, and tools to deliver the highest levels of quality and ensure security of the product environment storing our customer’s data.
OwnBackup mapped our QMS against applicable 21 CFR Part 11 (“GxP”) and EudraLex Volume 4, Annex 11 (“GmP”) controls to externally validated controls within our ISO 27001 certification and SOC 2 Type II report to support the compliance program of our Life Sciences clients.
Additional information for OwnBackup’s support for GxP and GmP compliance can be found here.
OwnBackup security personnel are part of the ISACA network, one of the world’s largest global organizations for information security professionals, and frequently participate in knowledge sharing to provide insight into emerging security threats and help advance the security field.
OwnBackup is a member of the NJCCIC and receives cyber alerts and advisories, cyber tips and best practices for managing cyber risk. The NJCCIC provides members with cyber information sharing, cyber threat analysis, and incident reporting services to promote statewide awareness of cyber threats and adoption of best practices.
OwnBackup security personnel hold numerous ISC2 security certifications, including the Certified Information System Security Professional (CISSP), and are active members in the ISC2 community. ISC2 is a leading organization specializing in training and certifications for cybersecurity professionals.
OwnBackup is a member of the FS-ISAC, a global cyber intelligence community focused on providing an intelligence platform and network for anticipating and responding to cyber threats in the financial services industry. FS-ISAC enables collaboration and knowledge sharing for actionable threat intelligence information, including resiliency resources, to support OwnBackup’s mission of no company operating in the cloud should ever lose data.
OwnBackup is committed to protecting our clients when it comes to privacy and security. Our world-class secure data operations platform was built from the ground up utilizing leading information security best practices.
For details on our security controls download our security controls document.
OwnBackup instances and storage are available on both AWS and Azure. The service is hosted on the AWS cloud platform in the USA, Canada, the European Union, and Australia. On Azure, the service is hosted in the European Union.
Azure and AWS are top-tier, secure facilities that hold the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2, and more. These data centers are protected by the strictest security controls and physical access to the servers is restricted to authorized personnel only.
OwnBackup’s services run on our own VPC (Virtual Private Cloud) inside AWS or an Azure Virtual Network inside Azure in order to further isolate our networks in accordance with network and security best practices.
OwnBackup is a Salesforce.com authorized ISVForce partner and undergoes annual security assessments from salesforce.com in order to maintain this status.
OwnBackup’s security features ensure that data is always encrypted: both in transit and at rest. Our state of the art security measures include TLS 1.2 on every page in order to ensure all traffic to and from the website is always encrypted. Additionally, while at rest, the OwnBackup platform uses AES 256bit encryption and community-adopted oAuth authentication protocol to ensure passwords are never stored on our servers.
OwnBackup’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.
OwnBackup uses CSP object storage to store encrypted customer data across multiple availability-zones.
For customer data stored on object storage, OwnBackup uses object versioning with automatic aging to support compliance with OwnBackup’s disaster recovery and backup policies. For these objects, OwnBackup’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).
Any required recovery of a compute instance is accomplished by rebuilding the instance based on OwnBackup’s configuration management automation.
OwnBackup's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 4-hour recovery time objective (RTO). The DRP is exercised twice a year to measure recovery effectiveness.
OwnBackup products are certified under ISO/IEC 27001:2013 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System).
OwnBackup undergoes annual SOC2 Type II audits under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.
OwnBackup utilizes global CSP regions for its product computing and storage. AWS and Azure have several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.
Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application and between OwnBackup and the third-party data source (e.g., Salesforce).
Customer administrators can provision and deprovision users and associated access as necessary.
Role-based access controls to enable customers to manage multi-org permissions.
Customer administrators can access audit trails including username, action, timestamp, and source IP address fields. Audit logs can be viewed and exported by the customer’s administrator logged into the product, as well as through the OwnBackup API.
Access to OwnBackup products can be restricted by source IP address.
Customers can enable multi-factor authentication for accessing OwnBackup accounts utilizing time-based one-time passwords.
Customers can enable single sign-on via SAML 2.0 identity providers.
Customers can enable customizable password policies to help align OwnBackup passwords to corporate policies.
OwnBackup systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.
An intrusion detection system (IDS) is used to monitor network activity and alert OwnBackup of suspicious behavior.
Web application firewalls (WAFs) are used for all public web services.
OwnBackup logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.
OwnBackup utilizes security information and event management (SIEM) systems providing continuous security analysis of the networks and security environment, user anomaly alerting, command and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by OwnBackup’s security and operations staff.
OwnBackup’s incident response team monitors the firstname.lastname@example.org alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.
Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single OwnBackup account.
Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.
OwnBackup performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.
On a semi-annual basis, OwnBackup hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).
Vulnerability assessment results are incorporated into the OwnBackup software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the OwnBackup internal ticket system for tracking through resolution.
In the event of a potential security breach, the OwnBackup Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, OwnBackup will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.
OwnBackup has a dedicated security team with over 100 years of combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM, CISSP, and ISO 27001 Lead Auditors.
OwnBackup provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). OwnBackup also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.
OwnBackup performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.
OwnBackup products utilize CSP network controls to restrict network ingress and egress.
Stateful security groups are employed to limit network ingress and egress to authorized endpoints.
A multi-tier network architecture is used, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) or Azure Virtual Networks (VNets), leveraging private, DMZs, and untrusted zones within the CSP infrastructure.
In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.
OwnBackup offers the following options for encryption of data at rest:
Advanced Key Management (AKM) Option
Bring Your Own Key Management System (KMS) Option (available on AWS only)
For data in transit, traffic between OwnBackup and Salesforce APIs is sent over HTTPS utilizing TLS 1.2+ and OAuth 2.0.