This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Security and Trust

Understand On-Call Optimizer’s layered security approach and access trust resources.

We appreciate your trust in On-Call Optimizer and take the responsibility to protect your data seriously. Please take some time to browse this section of our documentation to understand the principles and approach that we have committed to in order to maintain your trust in us and to prove our security and compliance to our third-party auditors.

Governance

On-Call Optimizer’s security approach begins with our policies and controls which are based on a set of principles that establish the foundation for our security practices and provide the standard against which our compliance is audited against.

Our key security principles are:

  1. Simplicity. This principle is applied to both our software implementation - we strive to eliminate unnecessary complexity so our systems are easy to operate and audit, and the design of our product - we collect the bare minimum of information required to complete the jobs asked of us and no more.
  2. Granular, least privilege access. Access to data should be granted only to those with a legitimate business need, in the narrowest way feasible and for only the necessary period of time (not indefinitely). The same approach is also applied to components of our systems.
  3. Defense in depth. We implement multiple layered controls, and monitoring of those controls to ensure they are functioning as intended, based on a belief that errors and failure of individual components are inevitable in distributed software systems, so the system as a whole must be robust against the failure or malfunction of each of its components.
  4. Continuous improvement. We iterative measure, evaluate and improve our security policies and controls as our business and the threat environment in which we operate changes. Through this iteration we look for opportunities to increase the effectiveness of our controls and improve our visibility and confidence in the layers of protection we have in place.

We are working towards SOC 2 Type II attestation to build further confidence in our security controls and implementation and expect to receive our first report mid-year 2025.

Data Protection

All data in transit to and stored by On-Call Optimizer is protected by strong encryption.

  • Data at rest is stored on encrypted VM volumes and encrypted block storage buckets managed by our providers AWS and GCP.
  • We require TLS 1.2 or higher with strong cipher suites and enforce the use of HSTS to protect against downgrade attacks in order to maximise the security of data in transit.
  • Sensitive material such as encryption keys and application secrets is managed at the highest tier of our data security policy classification, with strictly limited access and handled. We rely on trusted industry standard products such as AWS Secrets Manager and Parameter Store to minimize manual handling of this material.

Product Security

To build confidence in our deployed software’s ability to uphold our security principles we engage in a range of security related activities, including:

  • Regular penetration tests (at least annual) on all aspects of the application. Our last penetration test was conducted in December 2024 by SecurityLit Ltd and is available in our Trust Center.
  • Static code analysis is used during development by all developers and is enforced at pull request time.
  • Vulnerability and dependency management scanning is performed continuously on deployed code, and during development to ensure our software remains free of known vulnerabilities and remains up to date with released patches.
  • Full use of available browser policy mechanisms (e.g. content security policy, feature policies and cross-domain policies) is made to ensure the minimum possible attack surface is available should any zero-day vulnerability be discovered in our application code.

Internal Security

Our internal corporate and development environments are carefully managed and monitored.

  • All corporate hardware is centrally managed and tracked by Vanta’s MDM software which monitors key security configurations include disk encryption, screen lock configuration, software update state and malware protection.
  • Remote access to internal resources is secured using the Tailscale VPN software.
  • All employees and contractors are required to undertake reguular security awareness training.
  • We use Google Workspace as a central SSO identity provider and require 2FA authentication for all account access.
  • Employees do not have direct production access during their day-to-day work and are required to specifically authenticate and gain elevated credentials limited to the task at hand when performing any production operations.
  • No production data (including customer data) is permitted to be stored or processed on On-Call Optimizer’s corporate systems.

Data Privacy

All our activities, policies and data management are compliant with the NZ Privacy Act. In accordance with our principle of simplicity, we strive to collect the minimum amount of data necessary for On-Call Optimizer to function and we take our responsibility to be trustworthy stewards of that data seriously.

  • All employees are required to sign and commit to our security, privacy and confidentiality policies.
  • Customer data is promptly deleted upon request and/or shortly after a customer terminates their services.

More Details

For further details on our security practices, please refer to the detailed pages below.

1 - Reporting Issues

Vulnerability reporting and management for On-Call Optimizer

If you believe you have found a vulnerability in On-Call Optimizer, or are seeing unexpected behaviour that you believe has security implications, please follow the guidelines below.

Reporting a Vulnerability

To report a security concern, please email us at urgent-issue@oncall-optimizer.com with a description of the issue and steps to reproduce (if known).

Authenticated On-Call Optimizer users can access a token from the help page within the application at https://app.oncall-optimizer.com/help. Please include this token in your report to ensure faster notification and response.

Responsible Disclosure

Upon discovering a vulnerability:

  • Submit your findings to us via the instructions above.
  • We will acknowledge your submission within 1 working day and provide you with a named contact person.

Once a vulnerability has been reported

  • We will analyse your reported vulnerability and describe our planned response within 5 working days. If our response indicates that further time is needed beyond this initial period we will maintain regular updates to inform you of the progress.
  • We may invite you to further collaborate with us to ensure the vulnerability is dealt with as effectively and efficiently as possible.

Once a fix for a vulnerability has been deployed

  • We will notify any affected customers of the vulnerability and its solution.
  • If you desire, we will acknowledge your work in discovering, reporting and helping to resolve the vulnerability.

At all times, we expect you to act with professionalism, maintaining a high standard of conduct, including confidentiality. We expect any discovered vulnerability is reported directly to On-Call Optimizer in the first instance, in order to allow us to protect our customers as effectively as possible.

Acknowledgements

If you have found a vulnerability in On-Call Optimizer and follow the responsible disclosure process, we will acknowledge your contribution publicly on this page if requested.

2 - Certifications

Details of the standards and certifications On-Call Optimizer has achieved

On-Call Optimizer is designed and architected to be secure, protecting the confidentiality, integrity and availability of your data. We pursue independent third-party certifications to demonstrate our commitment to security and compliance.

Access to certification documents and related policies can be requested via our trust center.

SOC2

SOC2 is a widely recognized standard for security and compliance. On-Call Optimizer is committed to achieving a SOC2 Type 2 certification and is engaged in the audit process to fulfil this committment.

Latest Update

As of March 2025, our type 2 audit window for SOC2 certification is in progress.

Next Steps

  • Complete SOC2 audit and receive certification (July 2025).

Penetration Testing

In addition to security certification, On-Call Optimizer is also subject to external penetration testing to independently validate the security of our systems.

Latest Update

Our latest pentration test was completed in December 2024 with no significant findings reported and is now available in our trust center.

Other certifications

If you need evidence of compliance with another cerification, please contact us at compliance@oncall-optimizer.com.

3 - Trust Center

The central point for access to certification and policy documents for On-Call Optimizer customers.

To access the On-Call Optimizer trust center please visit the following address:

https:/trust.mkmba.nz/

By default the trust center provides an overview of On-Call Optimizer’s compliance program. Please use the links provided in the center to request additional access to certification and policy documents if required.

If you have further questions, please contact us at compliance@oncall-optimizer.com.