At Onna, we encrypt data while in transit and at rest. Transport Layer Security (TLS v1.2) protocol is used to secure all communication between the desktop and web client to the backend servers. At storage we encrypt via AES256. Nothing is ever sent in clear text.
Our desktop software is code-signed by a trusted authority to ensure integrity and authentication of our releases.
Every request made to our servers is logged to audit for origination IP, origination user, requested route, the data sent during the request, and the response sent by the server.
Data integrity and validation checks are performed at both client and server side to ensure data accuracy and consistency.
Your data is stored on the highly trusted Google cloud platform. Google Cloud has numerous attestations from third parties with regard to physical security, data center operations and personnel security, including, but not limited to, HIPAA, PCI, SOC and ISO27001.
We use OAuth 2.0 protocol (token or cookie-based authentication) to connect to third party data providers, such as Gmail, Dropbox, Office 365, Slack, and others that support this technology. We will never ask for your credentials to these services and will securely store the authentication token that is generated by the service when you authorize our access. We only request from you the “must have” permissions for these service providers, which, in most cases, is read-only.
All public facing services shall provide communication strictly through the Transport Layer Security protocol TLS v1.2. No data shall ever be exchanged with Onna systems in plain text or less known secure SSL implementations.