Security & compliance
We tell you what's done and what's pending.
Every claim on this page maps to an artefact in our compliance binder. Where we don't yet have an external attestation, we say so.
Where your data lives
- Frankfurt, Germany.
All customer data in AWS
eu-central-1. No US fallback, no cross-region replication outside the EU. - Encryption. TLS 1.2+ in transit (TLS 1.3 negotiated where available). AES-256 at rest on RDS via AWS KMS. Customer-managed key (BYO-KMS) is available on the Enterprise tier.
- Database-per-tenant.
Every customer gets a physically isolated PostgreSQL database
via
stancl/tenancy. Cross-tenant data leaks aren't a category of bug we can introduce by accident — they require dropping the wrong DB. - Backups. Encrypted RDS snapshots daily, retained 14 days on Business and 30 days on Enterprise. Frankfurt-resident; not copied cross-region.
Identity & access
- SSO. Google Workspace, Microsoft Entra ID, and generic SAML 2.0 — per tenant, with allowed-domain enforcement and external-collaborator bypass for named exceptions.
- MFA. TOTP + WebAuthn passkeys. Org-level policy enforces MFA for admins or everyone. SAML SSO falls back to TOTP for NIS2 Article 21(2)(j) alignment when the IdP's MFA assertion is missing.
- SCIM 2.0. Joiner / mover / leaver provisioning from Okta and Entra. Group → role mapping with audit-logged automatic grant + revoke.
- Admin IP allowlist.
Per-tenant CIDR list on
/admin/*. Per-API-token CIDR for machine integrations.
Compliance posture (honest)
What's shipped vs. what's pending. Updated as the audit clocks advance — no "in progress" theatre.
| Standard | Status | Evidence available |
|---|---|---|
| GDPR | Implemented | DPA · RoPA · DSAR pipeline · Sub-processor list · Right-to-erasure |
| NIS2 Article 21 + 23 | Evidence pack live | Coverage taxonomy doc · Quarterly regulatory update brief |
| SOC 2 Type II | Clock not yet started | Controls in place; observation window targeted H2 2026 |
| ISO 27001 | Targeted H2 2026 | Policy set + control mapping ready for auditor |
| DORA / AI Act | Evidence packs (Enterprise tier) | Article-scope documents — see contract for inclusions |
NIS2 — what we actually cover
Our NIS2 evidence pack maps your asset and identity state to Article 21 sub-controls (a–j) and the Article 23 24-hour incident-notification workflow. Every sub-control is labelled with its evidence class:
-
itam_native_evidence— ITAM data is the primary evidence (e.g. asset inventory, MFA enrolment rate). -
itam_hygiene_floor— ITAM provides the baseline; you need policy work on top. -
itam_proxy— adjacent evidence (e.g. supplier records); a real GRC system gives stronger coverage. -
outside_itam_scope— we don't help. Use Vanta / Drata / AuditBoard.
The PDF is auditor-ready. Compliance is still your responsibility as data controller — we give you the evidence, not the legal attestation.
GDPR
We are a data processor for tenant data and a data controller for our own marketing + sales pipeline. The split is documented in our DPA.
- Article 5, 6, 12–22, 25, 32, 33, 34 implemented (lawfulness, transparency, data subject rights, privacy by design + by default, security of processing, breach notification).
- DPA available on day one — request from privacy@ontrackio.com.
- DSAR pipeline — public form at app.ontrackio.com/privacy/dsar. Statutory 30-day response window per Article 12(3).
- Right to erasure (Article 17) implemented with pseudonymisation on erasure rather than hard delete, preserving audit trails per the EDPB Guidelines 04/2025.
- Article 30 RoPA maintained internally; customer-facing extract available on request.
Sub-processors
We disclose every party with access to customer data, per GDPR Article 28(2). Material changes get 30 days notice before they take effect.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute, database, object storage, KMS | eu-central-1 (Frankfurt) | View → |
| Cloudflare | CDN, DNS, analytics for the marketing site | Global edge; EU-resident analytics | View → |
| Cal.com | Demo call scheduling | EU instance | View → |
| Resend | Transactional email delivery | EU region | View → |
| Stripe | Billing + tax calculation | Ireland (EU) | View → |
Vulnerability disclosure
Email security@ontrackio.com. We acknowledge within 1 business day. 90-day coordinated disclosure window, extendable on request. Hall-of-fame credit on request.
Privacy & DSAR
Email privacy@ontrackio.com. For DSAR self-service, use app.ontrackio.com/privacy/dsar.
Want our latest evidence pack?
We'll send the current Article 21 PDF, sub-processor list, and DPA template after a 30-min call.