Privacy & Security Policy
Architecture, Development, and Operations
OnRule – Become Compliant and Stay Compliant, incorporates best practices in SaaS security.
1) Cloud-Hosted / SaaS
The application is designed to be used as a hosted solution. While it is accessible to all users from everywhere on the internet, it leverages all available security features of cloud providers and incorporates industry best practices for SaaS applications.
- Utilized Amazon Web Services (AWS) for application, database and storage hosting
- Industry-leading physical infrastructure security
- Dedicated infrastructure (not shared)
- Services built on Red Hat Enterprise Linux
2) Multi-Tenant Architecture
The system is architected and developed to support multi-tenancy. While this provides benefits of uniformity and scalable architecture, the design protects each customer by partitioning each customer and its users to ensure data security.
- Architected and developed for multi-tenancy
- Tiered architecture can scale up as needed
- Role-based access per customer per user – only your users see your data
- Data isolation – stored data is partitioned and isolated at all levels
3) Identity & Access Management
With Role- Based Access Control (RBAC), each user has unique security credentials, ensuring traceability of user access in line with security best practices of role separation and least privilege.
- Role-based access provisioning
- Customer administrator defines roles
- Users can be assigned to one or more roles
- Roles control access to data/features
- Audit trail of last and failed logins
4) Application Development
Application development and product release follow a strict process-driven methodology to ensure consistent and secure product development and release:
- Design and Development
- Design specs are created for features – specs are reviewed by a larger team for functionality, security and integrity
- Code reviews are performed with focus on security, scalability, integrity, and multi-tenancy.
- Automated and manual testing is done prior to each release.
- Security, penetration, and performance testing are conducted on a regular basis and prior to each release.
- Bugs are filed and tracked in a Bug Tracking system. Bug priority and severity level are assigned based on common definitions.
- Customer-found bugs have specific SLAs associated with their resolution time.
- Product testing is performed in staging environments which mirrors production environment while using test data
- Regular monthly feature releases
- Maintenance releases as needed, if not part of regular release
5) Data & Network Security
The system is protected and tested for application and network vulnerabilities to ensure the protection of customer data.
- All services are protected by AWS security and by system-specific access protection.
- Administrative access to OnRule systems is limited to the OnRule team responsible for network administration and may be accessed from a limited and controlled environment.
- Customer accesses the services is over HTTPS.
- Security-related patches are applied after successful test in staging, normally during scheduled maintenance windows. Emergency patches may be applied outside of maintenance windows if needed.
6) Disaster Recovery
The requirements to mitigate the data loss are categorized at 3 Levels – Operating System, Application, and Customer Level – and must be implemented based on the SLAs being enforced and technology feasibility.
- Regular operating system level snapshots for DR.
- Regular and automatic application level and database backup.
- Customer level data back to facilitate customers’ offsite backup strategies.
- Period audit of DR systems.