Security and Trust

Understand On-Call Optimizer’s layered security approach and access trust resources.

We appreciate your trust in On-Call Optimizer and take the responsibility to protect your data seriously. Please take some time to browse this section of our documentation to understand the principles and approach that we have committed to in order to maintain your trust in us and to prove our security and compliance to our third-party auditors.

Governance

On-Call Optimizer’s security approach begins with our policies and controls which are based on a set of principles that establish the foundation for our security practices and provide the standard against which our compliance is audited against.

Our key security principles are:

  1. Simplicity. This principle is applied to both our software implementation - we strive to eliminate unnecessary complexity so our systems are easy to operate and audit, and the design of our product - we collect the bare minimum of information required to complete the jobs asked of us and no more.
  2. Granular, least privilege access. Access to data should be granted only to those with a legitimate business need, in the narrowest way feasible and for only the necessary period of time (not indefinitely). The same approach is also applied to components of our systems.
  3. Defense in depth. We implement multiple layered controls, and monitoring of those controls to ensure they are functioning as intended, based on a belief that errors and failure of individual components are inevitable in distributed software systems, so the system as a whole must be robust against the failure or malfunction of each of its components.
  4. Continuous improvement. We iterative measure, evaluate and improve our security policies and controls as our business and the threat environment in which we operate changes. Through this iteration we look for opportunities to increase the effectiveness of our controls and improve our visibility and confidence in the layers of protection we have in place.

We are working towards SOC 2 Type II attestation to build further confidence in our security controls and implementation and expect to receive our first report mid-year 2025.

Data Protection

All data in transit to and stored by On-Call Optimizer is protected by strong encryption.

  • Data at rest is stored on encrypted VM volumes and encrypted block storage buckets managed by our providers AWS and GCP.
  • We require TLS 1.2 or higher with strong cipher suites and enforce the use of HSTS to protect against downgrade attacks in order to maximise the security of data in transit.
  • Sensitive material such as encryption keys and application secrets is managed at the highest tier of our data security policy classification, with strictly limited access and handled. We rely on trusted industry standard products such as AWS Secrets Manager and Parameter Store to minimize manual handling of this material.

Product Security

To build confidence in our deployed software’s ability to uphold our security principles we engage in a range of security related activities, including:

  • Regular penetration tests (at least annual) on all aspects of the application. Our last penetration test was conducted in December 2024 by SecurityLit Ltd and is available in our Trust Center.
  • Static code analysis is used during development by all developers and is enforced at pull request time.
  • Vulnerability and dependency management scanning is performed continuously on deployed code, and during development to ensure our software remains free of known vulnerabilities and remains up to date with released patches.
  • Full use of available browser policy mechanisms (e.g. content security policy, feature policies and cross-domain policies) is made to ensure the minimum possible attack surface is available should any zero-day vulnerability be discovered in our application code.

Internal Security

Our internal corporate and development environments are carefully managed and monitored.

  • All corporate hardware is centrally managed and tracked by Vanta’s MDM software which monitors key security configurations include disk encryption, screen lock configuration, software update state and malware protection.
  • Remote access to internal resources is secured using the Tailscale VPN software.
  • All employees and contractors are required to undertake reguular security awareness training.
  • We use Google Workspace as a central SSO identity provider and require 2FA authentication for all account access.
  • Employees do not have direct production access during their day-to-day work and are required to specifically authenticate and gain elevated credentials limited to the task at hand when performing any production operations.
  • No production data (including customer data) is permitted to be stored or processed on On-Call Optimizer’s corporate systems.

Data Privacy

All our activities, policies and data management are compliant with the NZ Privacy Act. In accordance with our principle of simplicity, we strive to collect the minimum amount of data necessary for On-Call Optimizer to function and we take our responsibility to be trustworthy stewards of that data seriously.

  • All employees are required to sign and commit to our security, privacy and confidentiality policies.
  • Customer data is promptly deleted upon request and/or shortly after a customer terminates their services.

More Details

For further details on our security practices, please refer to the detailed pages below.

Reporting Issues

Vulnerability reporting and management for On-Call Optimizer

Certifications

Details of the standards and certifications On-Call Optimizer has achieved

Trust Center

The central point for access to certification and policy documents for On-Call Optimizer customers.


Last updated March 4, 2025