Our Commitment to Data Security and Information Privacy

In an era where data security and privacy are paramount, our company reaffirms its unwavering commitment to safeguarding the information entrusted to us. As a leading provider of tools to data practitioners, we recognize the critical importance of robust data security measures and the ethical management of personal information.

Compliance with International Data Security Regulations:

Our approach to data security is comprehensive, adhering to key regulations across major jurisdictions:

  • United States: Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), Children's Online Privacy Protection Act (COPPA), and state-specific laws such as California Consumer Privacy Act - CCPA, New York Stop Hacks and Improve Electronic Data Security - SHIELD Act, Massachusetts 201 CMR 17.00 and all data breach notification laws. We also adhere to frameworks such as the NIST Cybersecurity Framework.
  • European Union: We comply with the General Data Protection Regulation (GDPR), ensuring rigorous data protection for all individuals within the European Union. This includes stringent consent protocols, data subject rights, and secure data processing standards. 
  • Australia: We adhere to the Australian Privacy Principles (APPs) under the Privacy Act 1988, which governs how we handle, use, and manage personal information, ensuring transparency and accountability in our operations.

Our Data Security Best Practices:

To maintain the highest levels of data security, we implement a range of best practices:

  • Encryption and Data Masking: We utilize advanced encryption techniques and data masking to protect data at rest and in transit, ensuring unauthorized parties cannot access sensitive information.
  • Regular Security Audits: Our systems undergo regular security audits and vulnerability assessments to identify and mitigate potential risks proactively.
  • Employee Training: All staff members receive ongoing training on data security protocols and privacy regulations to ensure they are well-equipped to handle data responsibly.
  • Incident Response Plan: We have a robust incident response plan to swiftly address and rectify any data breaches or security incidents, minimizing potential impacts.
    Vendor Risk Management: We rigorously assess third-party vendors to ensure they meet our stringent data security standards.

Our Commitment to Our Customers:

As a provider to data practitioners, we not only adhere to these standards but also champion them in our products and services. Our commitment to data security and privacy is not just a regulatory obligation; it is a fundamental aspect of our corporate ethos. We understand the immense responsibility that comes with handling and analyzing data, and we are dedicated to upholding the highest standards of data security and privacy for our customers. We will continue to lead the industry in responsible and secure data management.

21972-312_SOC_NonCPA

Key Security Offerings

  • SOC 2 Type II certified
  • Industry Leading Role Based Security Configuration
  • Data Encryption at Rest and In Transit
  • Support for SAML based SSO
  • Single Tenant Customer Database Architecture

download

Availability and Continuity

  • Hosted by Amazon Web Services currently operating out of US, Ireland and Sydney regions with the option to add others based on customer demand.
  • Physical data center security provided by AWS
  • Data backed up daily
  • External Penetration Testing



GDPR

PII and GDPR

  • Data Protection Officer - Phil Schrader (privacy@onemodel.co)
  • Adheres to Data Processor Requirements of GDPR
  • All One Model Employees participate in Annual Information Security Training
  • One Model will never process data in a fashion not requested or configured by the Customer


One Model contains Privacy by Design

  • Only the data provided/permitted by the customer is transferred to OM
  • Application level Role Based Security provides manageable access to data
  • OM staff only have access to data where required to support the customer
  • All data encrypted in transit and at rest


Consent

  • OM does not collect data directly from the employee, it consumes/processes data from HR systems.
  • Consent is handled by the Customer
  • OM will never process data in a fashion not requested or configured by the Customer


Right to Access

  • Multiple options exist for providing access

       ○ Give the employee a user to access OM where their role is linked to their own data point.

       ○Dashboards/Reports aimed at providing individual information can be created for distribution on request to the employee.


Data Portability

  • N/A to the OM application but we can facilitate the export/transfer of data for an employee using the options in Right to Access.


Right to be forgotten

  • Primarily handled through the source system. OM is synchronized with the source so removal from the source system will remove from OM on the next synchronization.
  • If a data source is being held statically these persons can be removed via the data models so they are no longer processed or removed from the data store via an sql query to remove. OM will facilitate this process where the customer does not have the resources to complete.

Please report any complaints or unethical behavior to privacy@onemodel.co