This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Security and Trust

Understand On-Call Optimizer’s layered security approach and access trust resources.

1 - Reporting Issues

Vulnerability reporting and management for On-Call Optimizer

If you believe you have found a vulnerability in On-Call Optimizer, or are seeing unexpected behaviour that you believe has security implications, please follow the guidelines below.

Reporting a Vulnerability

To report a security concern, please email us at urgent-issue@oncall-optimizer.com with a description of the issue and steps to reproduce (if known).

Authenticated On-Call Optimizer users can access a token from the help page within the application at https://app.oncall-optimizer.com/help. Please include this token in your report to ensure faster notification and response.

Responsible Disclosure

Upon discovering a vulnerability:

  • Submit your findings to us via the instructions above.
  • We will acknowledge your submission within 1 working day and provide you with a named contact person.

Once a vulnerability has been reported

  • We will analyse your reported vulnerability and describe our planned response within 5 working days. If our response indicates that further time is needed beyond this initial period we will maintain regular updates to inform you of the progress.
  • We may invite you to further collaborate with us to ensure the vulnerability is dealt with as effectively and efficiently as possible.

Once a fix for a vulnerability has been deployed

  • We will notify any affected customers of the vulnerability and its solution.
  • If you desire, we will acknowledge your work in discovering, reporting and helping to resolve the vulnerability.

At all times, we expect you to act with professionalism, maintaining a high standard of conduct, including confidentiality. We expect any discovered vulnerability is reported directly to On-Call Optimizer in the first instance, in order to allow us to protect our customers as effectively as possible.

Acknowledgements

If you have found a vulnerability in On-Call Optimizer and follow the responsible disclosure process, we will acknowledge your contribution publicly on this page if requested.

2 - Certifications

Details of the standards and certifications On-Call Optimizer has achieved

On-Call Optimizer is designed and architected to be secure, protecting the confidentiality, integrity and availability of your data. We pursue independent third-party certifications to demonstrate our commitment to security and compliance.

Access to certification documents and related policies can be requested via our trust center.

SOC2

SOC2 is a widely recognized standard for security and compliance. On-Call Optimizer is committed to achieving a SOC2 Type 2 certification and is engaged in the audit process to fulfil this committment.

Latest Update

As of September 2024, the scoping and planning for SOC2 certification has been completed, including establishing the list of controls required to be audited.

The work in progress is now focused on gathering the required evidence to demonstrate to the auditor that each control is being achieved.

  • Policies covering all required control areas are written and in place.
  • The necessary technical and process implementation details are in place for over 95% of all controls.
  • Evidence is gathered and documented for 66% of controls.

Next Steps

  • Selection of an auditor
  • Agree terms, scope and timing of audit with selected auditor.
  • Complete evidence gathering and documentation for remaining controls.

Target Dates

  • End of September 2024: Evidence collection completed, all controls ready for audit.
  • End of October 2024: Auditor selected, scoping statement approved, Type 1 audit begins.
  • End of December 2024: SOC2 Type 1 audit report available for customer distribution.
  • End of March 2025: SOC2 Type 2 audit report available for customer distribution.

Availability of the Type 2 audit report at the above date is subject to the selector auditor agreeing that a shorter 3-month observation period is appropriate for the size and scope of the On-Call Optimizer product. If this agreement is not achieved, it is likely that the Type 2 audit report will not be available until June 2025.

Penetration Testing

In addition to security certification, On-Call Optimizer is also subject to external penetration testing to independently validate the security of our systems.

Latest Update

As of September 2024, evaluation and selection of a penetration testing vendor is in progress.

Target Dates

  • End of September 2024: Vendor selected, pen test scheduled.
  • End of Novemeber 2024: Penetration test report available for customer distribution.

Other certifications

If you need evidence of compliance with another cerification, please contact us at compliance@oncall-optimizer.com.

3 - Trust Center

The central point for access to certification and policy documents for On-Call Optimizer customers.

To access the On-Call Optimizer trust center please visit the following address:

https://mkmba-limited.trustshare.com/

By default the trust center provides an overview of On-Call Optimizer’s compliance program. Please use the links provided in the center to request additional access to certification and policy documents if required.

If you have further questions, please contact us at compliance@oncall-optimizer.com.