This document is a templated draft, pending counsel review.
The text below is generic SaaS baseline language intended to communicate intent while the formal version is being finalised with our counsel. Do not rely on it for compliance, procurement, audit or any legally binding decision. For the current binding version applicable to your engagement, contact security@observone.com.
Effective2026-05-11
Versionv0.1 (draft)
Jurisdiction[PLACEHOLDER: Delaware, USA]
1. Overview
ObservOne operates the platform with a defence-in-depth posture appropriate to the criticality of the infrastructure our customers run. The program is anchored on three principles:
Single-tenant data planes — customer telemetry is isolated by tenant at the storage and compute layer, not just logically
Customer-managed keys — where customers require it, encryption keys are held by the customer, not by us
Region pinning by default — customer data stays in the region of origin unless the customer explicitly elects otherwise
This page summarises the program. Detailed control mappings are available under NDA on request.
2. Infrastructure security
Cloud provider
We run on [PLACEHOLDER: AWS / GCP / multi-cloud] across multiple availability zones and regions. The underlying provider holds SOC 1, SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS, FedRAMP and HIPAA attestations.
Network segmentation
Production is segmented from staging and corporate networks. Public endpoints sit behind a managed WAF and DDoS protection layer. Service-to-service traffic is authenticated and encrypted in transit.
Host hardening
Production hosts are immutable images deployed via signed pipelines. SSH access to production is disabled by default; break-glass access is time-boxed, logged and reviewed.
3. Application security
Secure SDLC
Code changes are reviewed by a second engineer, run through automated static analysis and dependency scanning, and tested against a battery of unit and integration tests before merge. Production deploys are gated on those signals.
Secrets management
Secrets are stored in [PLACEHOLDER: AWS Secrets Manager / HashiCorp Vault], scoped per-environment, rotated on a defined cadence and never stored in source code.
Dependency hygiene
Third-party dependencies are inventoried and continuously scanned for known vulnerabilities. Critical-severity findings are remediated within [PLACEHOLDER: 7 days] of public disclosure.
4. Data security & encryption
Encryption in transit
All connections to the Service use TLS 1.2 or higher with modern cipher suites. Internal service-to-service traffic uses mutual TLS.
Encryption at rest
All Customer Data is encrypted at rest using AES-256. Database storage, object storage and snapshots are encrypted by default.
Key management
Default key management is performed by our cloud provider's managed KMS. Customers on eligible tiers may bring their own keys (BYOK) via [PLACEHOLDER: AWS KMS Customer-Managed Keys / external HSM integration].
Data residency
Customer Data is pinned to its region of origin by default. Multi-region replication is opt-in per tenant.
5. Identity & access management
Customer-side
SSO via SAML 2.0 and OIDC
SCIM provisioning for user lifecycle
MFA enforced for privileged roles
Role-based access control with least-privilege defaults
Audit log of every authentication and write event, exportable in OpenTelemetry
Internal access
Employee access to production is granted on a least-privilege basis, tied to job function, and reviewed quarterly. All access requires SSO + MFA. Privileged operations are logged and monitored.
6. Operational security
Change management
Production changes flow through a versioned pipeline with mandatory peer review, automated tests and a staged rollout. Rollback is one command away.
Vulnerability management
Continuous scanning of hosts, containers and dependencies. Findings are triaged into our ticketing system with SLAs based on severity:
Critical: [PLACEHOLDER: 24 hours to acknowledge, 7 days to remediate]
High: [PLACEHOLDER: 72 hours / 30 days]
Medium: [PLACEHOLDER: 7 days / 90 days]
Penetration testing
External penetration tests are conducted at least [PLACEHOLDER: annually] by an accredited third party. A current attestation summary is available under NDA.
Logging & monitoring
Centralised logging across application, infrastructure and audit events. Alerts feed our on-call rotation 24/7.
7. Vendor & sub-processor management
Every sub-processor undergoes due-diligence review before onboarding and a recurring review thereafter. Material changes to the sub-processor roster are announced in advance via the sub-processors page.
8. Business continuity & DR
Production runs across multiple availability zones with automated failover. Backups are encrypted, region-isolated and tested quarterly. Recovery objectives:
RTO — [PLACEHOLDER: 4 hours for production-impacting events]
RPO — [PLACEHOLDER: 15 minutes]
9. Incident response
We maintain a documented incident response plan with defined roles, escalation paths and communication templates. In the event of a security incident affecting Customer Data:
Initial customer notification within [PLACEHOLDER: 72 hours] of confirmed material impact, consistent with applicable law and contractual commitments
Status updates at least every [PLACEHOLDER: 24 hours] until resolution
Post-incident report including root cause, impact assessment and corrective actions, delivered within [PLACEHOLDER: 14 days] of closure
10. Vulnerability disclosure
We welcome reports from security researchers. Submit findings to security@observone.com; PGP key on request. We commit to:
Acknowledgement within 5 business days
Initial assessment within 10 business days
Coordinated disclosure timeline agreed with the reporter
Public credit, with the reporter's consent, in our security advisories
We do not pursue legal action against researchers acting in good faith under these terms.
11. Compliance & certifications
Active programs:
SOC 2 Type II — audit in progress, target completion [PLACEHOLDER: Q4 2026]
ISO 27001 — certification in progress, target completion [PLACEHOLDER: H1 2027]
NFPA 1221 — controls pre-mapped; auditor view available on customer request
FCC Part 17, Part 90 — evidence-generation pre-mapped
HIPAA — BAA available on eligible tiers; PHI-aware data plane
FedRAMP Moderate — in process, GovCloud isolation available
GDPR / UK GDPR — Art. 44 transfer safeguards, region pinning, EU representative arrangements in place
Current attestation packs and audit reports are available under NDA on request.