Security and Trust
Understand On-Call Optimizer’s layered security approach and access trust resources.
We appreciate your trust in On-Call Optimizer and take the responsibility to protect your data seriously. Please
take some time to browse this section of our documentation to understand the principles and approach that we have
committed to in order to maintain your trust in us and to prove our security and compliance to our third-party
auditors.
Governance
On-Call Optimizer’s security approach begins with our policies and controls which are based on a set of principles
that establish the foundation for our security practices and provide the standard against which our compliance is
audited against.
Our key security principles are:
- Simplicity. This principle is applied to both our software implementation - we strive to eliminate unnecessary
complexity so our systems are easy to operate and audit, and the design of our product - we collect the bare
minimum of information required to complete the jobs asked of us and no more.
- Granular, least privilege access. Access to data should be granted only to those with a legitimate business need,
in the narrowest way feasible and for only the necessary period of time (not indefinitely). The same approach is
also applied to components of our systems.
- Defense in depth. We implement multiple layered controls, and monitoring of those controls to ensure they are
functioning as intended, based on a belief that errors and failure of individual components are inevitable in
distributed software systems, so the system as a whole must be robust against the failure or malfunction of each
of its components.
- Continuous improvement. We iterative measure, evaluate and improve our security policies and controls as our
business and the threat environment in which we operate changes. Through this iteration we look for opportunities
to increase the effectiveness of our controls and improve our visibility and confidence in the layers of protection
we have in place.
We are working towards SOC 2 Type II attestation to build further confidence in our security controls and implementation
and expect to receive our first report mid-year 2025.
Data Protection
All data in transit to and stored by On-Call Optimizer is protected by strong encryption.
- Data at rest is stored on encrypted VM volumes and encrypted block storage buckets managed by our providers AWS and GCP.
- We require TLS 1.2 or higher with strong cipher suites and enforce the use of HSTS to protect against downgrade attacks
in order to maximise the security of data in transit.
- Sensitive material such as encryption keys and application secrets is managed at the highest tier of our data security
policy classification, with strictly limited access and handled. We rely on trusted industry standard products such as
AWS Secrets Manager and Parameter Store to minimize manual handling of this material.
Product Security
To build confidence in our deployed software’s ability to uphold our security principles we engage in a range of security
related activities, including:
- Regular penetration tests (at least annual) on all aspects of the application. Our last penetration test was conducted in
December 2024 by SecurityLit Ltd and is available in our Trust Center.
- Static code analysis is used during development by all developers and is enforced at pull request time.
- Vulnerability and dependency management scanning is performed continuously on deployed code, and during development to
ensure our software remains free of known vulnerabilities and remains up to date with released patches.
- Full use of available browser policy mechanisms (e.g. content security policy, feature policies and cross-domain policies)
is made to ensure the minimum possible attack surface is available should any zero-day vulnerability be discovered in our
application code.
Internal Security
Our internal corporate and development environments are carefully managed and monitored.
- All corporate hardware is centrally managed and tracked by Vanta’s MDM software which monitors key security configurations
include disk encryption, screen lock configuration, software update state and malware protection.
- Remote access to internal resources is secured using the Tailscale VPN software.
- All employees and contractors are required to undertake reguular security awareness training.
- We use Google Workspace as a central SSO identity provider and require 2FA authentication for all account access.
- Employees do not have direct production access during their day-to-day work and are required to specifically authenticate
and gain elevated credentials limited to the task at hand when performing any production operations.
- No production data (including customer data) is permitted to be stored or processed on On-Call Optimizer’s corporate systems.
Data Privacy
All our activities, policies and data management are compliant with the NZ Privacy Act. In accordance with our principle of
simplicity, we strive to collect the minimum amount of data necessary for On-Call Optimizer to function and we take our
responsibility to be trustworthy stewards of that data seriously.
- All employees are required to sign and commit to our security, privacy and confidentiality policies.
- Customer data is promptly deleted upon request and/or shortly after a customer terminates their services.
More Details
For further details on our security practices, please refer to the detailed pages below.
Vulnerability reporting and management for On-Call Optimizer
Details of the standards and certifications On-Call Optimizer has achieved
The central point for access to certification and policy documents for On-Call Optimizer customers.
Last updated March 4, 2025