Dashboard
Trust Center
At O’Neil Software, we empower organizations to manage physical and digital records with security, efficiency, and confidence. Our cloud-based platform supports seamless tracking, retrieval, and secure destruction of information—reducing reliance on manual processes, outdated infrastructure, and siloed systems.
Trusted by records centers, archives, and enterprises worldwide, our solutions streamline operations and ensure compliance throughout the entire records lifecycle.
As a pioneer in records and information management, we recognize the critical responsibility of protecting sensitive data and enabling proper governance—including compliant destruction. Security, compliance, and ethical data practices are not features—they are embedded in our technology, operations, and culture.
We back this commitment with:
- SOC-2 and ISO 27001:2022 Certification: Validating our controls meet rigorous security, availability, and confidentiality standards.
- Multi-factor Authentication (MFA) and Single Sign-On (SSO): Strengthening identity access management.
- End-to-End Encryption: Protecting your data in transit and at rest.
- 24/7 Monitoring and Backups: Ensuring uptime, resilience, and recoverability.
- Granular Access Controls: Aligning system permissions with your organizational roles.
Our platform continues to evolve alongside regulatory standards and customer expectations—delivering ongoing improvements in data protection, governance, and secure operations. We are proud to serve an industry built on accountability, transparency, and trust.
Learn more about our Security & Compliance Practices
Request SOC2 Report
Frequently Asked Questions
Yes, we support OIDC based SSO. Please reach out to our sales team to discuss specifics.
All communication is encrypted in-transit using TLS 1.2 or greater.
Data stored in our infrastructure is protected at-rest using the 256-bit Advanced Encryption Standard (AES-256) with encryption keys stored within the Amazon Key Management Service.
Security risk assessment is an integral part of our software development life cycle. We use frameworks such as OWASP Top 10as part of the risk review. We use both SAST and DAST vulnerability management tools to detect and manage code vulnerabilities. We also have a strong partnerships with third parties such as Rapid 7 and Inovo InfoSec who extensive application and network penetration test, as well as a private bug bounty program. This means that everything we deploy is continuously penetration tested by vetted and experienced security researchers. We use Stellar Cyber and Aikido to monitor for production infrastructure security issues, cloud security posture, vulnerabilities, and misconfigurations such as deviations from CIS Benchmarks.
We have a Data Privacy and GDPR Compliance Policy in place to meet our obligations under the UK Data Protection Act 2018, the UK's implementation of the General Data Protection Regulation (GDPR). We also have an explicit Data Subject Request Policy in place, which sets out how to respond to an individual’s request to exercise their rights under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Further, O’Neil Software’s Information Security Policy ensures that information is classified, protected, retained and securely disposed of in accordance to regulatory responsibilities as well as internal classification.
View More
Index
Certificates
Assessments
Index
Management Commitment To Information Security
Information Security Program
Information Security Policies
Information Security Organization
Information Systems Risk Management
Information Management
Personnel Security Management
Systems & Operation Management
Third Party Relationships
Access Controls
Security Incident Response
Management Commitment To Information Security
Expand All
Information and information systems are necessary for the performance of just about every essential activity at O’Neil Software. If there were to be a serious security problem with this information or these information systems, O’Neil Software could suffer serious consequences including lost customers, reduced revenues, and degraded reputation. As a result, information security now must be a critical part of the O’Neil Software business environment.
Information Security Program
For these and other important business reasons, executive management working in conjunction with the board of directors has initiated and continues to support an information security program based on the International Standards Organization (ISO) Information Security Management System (ISMS) 27001-2022, Statement on Standards for Attestation Engagements (SSAE) No. 21 SOC2 Type 2, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, and the Center for Internet Security (CIS) Controls version 8.0 Critical Security Controls. The information security program must be updated and re-approved by O’Neil Software management annually or whenever there is a material change in the organization or infrastructure and audited by an independent third party at least annually.
The information security program must be monitored for effectiveness and continuous compliance. To support continued compliance, the O’Neil Software information security program contains controls for the audit and assessment of essential controls. O’Neil Software management engages a third-party to perform an external validation of the information security program at least annually.
Information Security Policies
To support the information security effort, O’Neil Software has prepared documentation including security plans (organization and system level), information security policies, information security standards (for systems and processes) and operating procedures. As a condition of continued employment, all workers, employees, contractors, consultants, and temporaries, must consistently observe the requirements set forth in this document.
The information security program and related policies also define baseline control measures that everyone at O’Neil Software is expected to be familiar with and to consistently follow. Sometimes called standard of due care controls, these security measures are the minimum required to prevent a variety of different problems including: information disclosure, fraud and embezzlement, industrial espionage, sabotage, errors and omissions, and system unavailability. The information security program and related policies also define the minimum controls necessary to prevent legal problems such as allegations of negligence, breach of fiduciary duty, or privacy violation.
O’Neil Software has developed, documented, and periodically updates a written System Security Plan after conducting quarterly assessments of the security controls in O’Neil Software organizational systems. The SSP describes system boundaries, environments of operations, how security requirements are implemented, and the relationships with other systems.
O’Neil Software has development written Plans of Action with Milestones designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. Vulnerabilities are assessed on a monthly or more frequent basis. PoAMs are updated as a result.
Information Security Organization
To be effective, information security must be a team effort involving the participation and support of every O’Neil Software worker who deals with information and information systems. In recognition of the need for teamwork, the O’Neil Software information program defines and clarifies the responsibilities of users and the steps they must take to help protect O’Neil Software information and information systems.
To support and organize this team effort, O’Neil Software has assigned specific individuals with the primary responsibility for implementing and updating the information security program. This group is known as the Information Security Department. To further support the security organizations, other groups of specialists may be formed on a temporary or permanent basis to address specific needs such as Incident Response or Disaster Recovery.
Information Systems Risk Management
O’Neil Software supports a risk-based approach to information security. Each year O’Neil Software management will conduct, or manage an independent party who conducts, an organization-wide security risk assessment. The report resulting from this project must include a detailed description of the information security risks currently facing the organization, and specific recommendations for preventing or mitigating these risks. The controls resulting from this assessment will help form the baseline of the information security program.
Information Management
To effectively protect information, O’Neil Software has adopted a formal information classification scheme that defines a specific sensitivity level for all information collected, produced and maintained by the organization.
Accordingly, O’Neil Software information security policies, standards and procedures are put in place to define the appropriate data protection levels for each type of sensitive data. Sensitive O’Neil Software information is protected using encryption at rest, during transit, and during archival and destruction. Only secure versions of encryption are used in transit (such as Transport Layer Security (TLS) 1.2 or above) and at rest (such as AES 265 or higher).
Personnel Security Management
O’Neil Software personnel are ultimately responsible for the day-to-day implementation and effectiveness of the information security program. Thus, the information security program includes controls for the proper security of personnel from the time of pre-employment (screening) until the employment relationship is terminated. All employees are made aware of their role within the information security function and are provided annual Information Security Training to help them do their jobs effectively. Each employee and contractor with access to sensitive information is also made aware of the Information Security Policies, standards and procedures that apply to their job function.
To effectively protect sensitive information, O’Neil Software has adopted formal Acceptable Use policies covering the use of business systems including electronic messaging, internet use, mobile devices, passwords, and data handling. All users are required to read and acknowledge Acceptable Use Policies at least annually.
Systems & Operation Management
The O’Neil Software information security program has defined controls for the secure acquisition, development, management, and disposal of information systems. This approach uses a formal Systems Development Lifecycle (SDLC) for the management of security.
As part of the security of systems, O’Neil Software has formal policies and documented operating procedures for critical IT functions such as change management, malicious software management, event logging and data backups.
Third Party Relationships
As part of the O’Neil Software information security program, we proactively manage the risk related to third parties. This includes the adoption of information security controls in all third-party contracts. The program also protects information that is disclosed to third parties. For example, prior to providing any non-public O’Neil Software information to an outsourcing firm, business partner, or any other non-governmental entity, the relevant Information Owner, and the Information Security Manager must jointly perform a risk assessment.
Access Controls
The O’Neil Software information security program is designed to carefully control both logical and physical access to sensitive information based on the concept of “need-to-know.” All O’Neil Software employees and third parties must be formally approved before they are granted access to sensitive information. Further, all computer and communication systems that contain sensitive information are equipped with access control systems that limit and record user access based on a unique user ID and password. In certain circumstances, enhanced authentication technology (such as biometrics or smart cards) may be used to protect the most sensitive information.
O’Neil Software requires the use of MFA on all remote entry points to O’Neil systems, as well as on all privileged access to systems, including all production and development environments.
Passwords must be hashed or salted at all times, always encrypted, must be complex, and lock after a defined condition such as failure or inactivity.
O’Neil Software utilizes SSO with an enterprise Identity and Access Management (IAM) system wherever possible.
O’Neil Software implements and manages a strong system access control procedure that restricts access to data and systems by a “business need-to-know.” Restricting access to only individuals or systems with a “business need-to-know” reduces the potential for unauthorized changes or theft. O’Neil Software understands that a critical component of an effective security program is to effectively manage and control access permissions to sensitive systems and data.
Security Incident Response
To prepare for unforeseen events that may compromise information security, the O’Neil Software information security program contains response plans and procedures. For example, O’Neil Software management prepares, periodically updates, and tests emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service. The information security program also contains a formalized incident response function, detailing how the organization will report and respond to information security incidents.
O’Neil Software has developed a sanctions process to handle accidental or willful violations of information security policy by personnel.
Frequently Asked Questions
Expand All
Yes, we support OIDC based SSO. Please reach out to our sales team to discuss specifics.
All communication is encrypted in-transit using TLS 1.2 or greater.
Data stored in our infrastructure is protected at-rest using the 256-bit Advanced Encryption Standard (AES-256) with encryption keys stored within the Amazon Key Management Service.
Security risk assessment is an integral part of our software development life cycle. We use frameworks such as OWASP Top 10 as part of the risk review. We use both SAST and DAST vulnerability management tools to detect and manage code vulnerabilities. We also have a strong partnerships with third parties such as Rapid 7 and Inovo InfoSec who extensive application and network penetration test, as well as a private bug bounty program. This means that everything we deploy is continuously penetration tested by vetted and experienced security researchers. We use Stellar Cyber and Aikido to monitor for production infrastructure security issues, cloud security posture, vulnerabilities, and misconfigurations such as deviations from CIS Benchmarks.
We have a Data Privacy and GDPR Compliance Policy in place to meet our obligations under the UK Data Protection Act 2018, the UK's implementation of the General Data Protection Regulation (GDPR). We also have an explicit Data Subject Request Policy in place, which sets out how to respond to an individual’s request to exercise their rights under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Further, O’Neil Software’s Information Security Policy ensures that information is classified, protected, retained and securely disposed of in accordance to regulatory responsibilities as well as internal classification.
Yes, we support SAML 2.0 based SSO and authentication via Google for corporate customers above a certain deal value. Please reach out to our sales team to discuss specifics.
Storage and processing is performed within the cloud infrastructure provided by Amazon Web Services (AWS). Data including operational backups of data is stored in one of three regions based on the customer’s location. Storage facilities use multiple availability zones, each with redundant power and networking, and each physically separated by a number of miles.
We use third-party cloud services as part of our service delivery. All third party service providers are evaluated within Legal, Security, Functionality and Commercial aspects. From a legal perspective, compliance with GDPR and other regulatory standards is a must, as well as compliance with requirements put on us by our customers. From a security perspective, we require SOC2 or ISO27001 as a rule. Exceptions can be made, upon answering a relevant security questionnaire, which is then reviewed and discussed. Third-party services functioning as sub-processors are listed in our Data Processing Agreement:
All communication is encrypted in-transit using TLS 1.2+.
Data stored in our infrastructure is protected at-rest using the 256-bit Advanced Encryption Standard (AES-256) with encryption keys stored within the Amazon Key Management Service.
Encryption keys are managed via AWS Key Management Service (KMS). AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2. The access to KMS is controlled via IAM Access controls and only enabled for selected employees. AWS KMS is designed so that no one, including AWS employees, can retrieve the plaintext KMS keys from the service.
We do not support customer-specific encryption keys.
We require name, email address and communication preferences to provide the service, which we obtain during sign-up. Music and image assets can be uploaded as part of the video generation process. To create a video on the platform you enter a text script, the script is then converted to a voice for an avatar to present the information in a video. To use a custom avatar for our platform, we require video data of an actor to create the avatar. For custom voices, we likewise require voice data.We also collect and process data for the legitimate interest of improving the service delivery and to meet legal obligations. Where additional services are offered we seek user consent. This is set out in our Terms of Service and the incorporated Data Processing Agreement.
Security risk assessment is an integral part of our software development life cycle. We use frameworks such as OWASP Top 10as part of the risk review. We use both SAST and DAST vulnerability managment tools to detect and manage code vulnerabilities. We also have a strong partnerships with third parties such as Rapid 7 and Inovo InfoSec who extensive application and network pentests, as well as a private bug bounty program. This means that everything we deploy is continuously pentested by vetted and experienced security researchers. We use Stellar Cyber and Akito to monitor for production infrastructure security issues, cloud security posture, vulnerabilities, and misconfigurations such as deviations from CIS Benchmarks.
We ensure that all access is based on the principle of least privilege. We use an identity provider with built-in threat intelligence feeds (i.e. dark web monitoring), strong password complexity requirements and a requirement for all employees to use a FIDO2 compliant authentication factor (biometric or security key). All employees are required to use a password manager, with a unique strong password and multi-factor authentication by default for all accounts. Access to our cloud infrastructure has restricted permissions using role based access controls, with access alerts and auditing in place.
For employee and contingent worker access to customer data and personal information we have implemented the following specific controls:
- Written policy for limiting employee, contingent worker, and contractor access to sensitive data, such as role-based access limitations and use of the principle of least privilege
- Periodic access reviews
- Access requests and explicit approvals for all access to sensitive data
- A requirement that all employees and contingent workers to execute NDA or other confidentiality agreements
- Periodic privacy and security training
- Immediate termination of access upon termination of employment
- Physical access restrictions, such as key card access and video monitoring
- Full audit logging of all access to our backend infrastructure and actions taken by staff
Risk assessment is an integral part of operating procedures and incorporated in our Risk Management Policy. This is implemented and monitored through Vanta, our compliance tracking platform. Within Vanta, we define risk areas, risk scenarios, treatments, etc. These are owned by relevant stakeholders within the business. The ISO, together with legal counsel, is responsible for overseeing this process. Controls and mitigatory measures are either continuously monitored for effectiveness , with automated alerts for failures, or audited by ISO periodically as part of the general compliance upkeep. Controls related to SOC2 are also reviewed as part of the external audit. Backer Tilly performs an independent third-party SOC2 Type 2 and ISO 27001 audit on an annual basis.
We have a Data Privacy and GDPR Compliance Policy in place to meet our obligations under the UK Data Protection Act 2018, the UK's implementation of the General Data Protection Regulation (GDPR). We also have an explicit Data Subject Request Policy in place, which sets out how to respond to an individual’s request to exercise their rights under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Further, O’Neil Software’s Information Security Policy ensures that information is classified, protected, retained and securely disposed of in accordance to regulatory responsibilities as well as internal classification.
