last revised on January 16, 2022

This document is subject to updates. It provides an introduction to Octy’s security policy. We consistently monitor and manage the security of our Services and implement best practices in our security policies.

Customer DataOcty provides several security capabilities and services to increase privacy. No one will be able to access your account resources as long as you take care of your Octy generated API Keys. Octy only requires anonymised customer data with a customer identifier for your systems reference to function as expected.

  1. Data in TransitOcty uses SSL/TLS to securely transfer data. SSL certificates are updated. You have to enable TLS/SSL to and from your application to ensure secure transit between Octy and your application.
  2. Customer Security Best PracticesThis section describes what you can do to protect your account in the best way possible.
    1. API KeysOcty generates and provides you with API Keys (Public & Secret key) that grant access to all account resources and actions. You are responsible for maintaining the security of said API Keys. Only share them with authorised personal.
    2. Unauthorized access attemptsWe want to keep you in the loop on important actions on your Octy account. In the event of 20 or more consecutive failed authentication attempts against your Public Key, you will be notified via email to the primary email set in your account configurations. If this action was not carried out by an authorized person within your company, you must report this to us with urgency, allowing us to regenerate and send updated API Keys.
    3. Encrypt of dataOcty supports TLS (SSL) to encrypt your data in transit. You should take measures to protect sensitive data transmitted to and from applications. TLS will only secure data during transport.

System

  1. Coding & Development StandardsWe employ high development standards and code testing practices that protect against attack attempts. We have a rigorous development process to ensure best security practices following industry standards.
  2. Application Level SecurityEach system component undergoes tests and code reviews to assess any potential security issues before we add deploy code into production. Octy reviews the security of third-party applications before adding them to Octy services.
  3. System AccessServer and system access are limited to authorized people. Access requires short-lived signed SSH keys and two-factor authentication. Authentication credentials are never shared and are stored securely.
  4. Device SecurityAll devices (computers, laptops, mobile phones, etc.) use encrypted storage, secure passwords, and auto-locking mechanisms. All end-point devices are kept updated with the latest stable OS update and application updates. Where applicable, Malware and anti-virus applications are installed.

Data Centers

Our physical infrastructure is currently hosted and managed on two different data centres: AWS & Digital Ocean.

Octy relies on the flexible and secure cloud infrastructure AWS and Digital ocean offers to store data within the EU. Both data centres ensure the utmost data security and protection. They ensure all data is stored in highly secure locations. The data centres that Octy utilises are secured and monitored 24/7. Physical access to data centre facilities is limited to select people. The data centres and staff continually manage risk and undergo recurring assessments to ensure compliance with industry standards.How each specific data centre handles temperature control, data centre management, and other disasters can be found via one of the relevant links below.

  1. AWS Cloud Security: https://aws.amazon.com/security/
  2. Digital Ocean Security: https://www.digitalocean.com/legal/

You can see a full list of our data sub-processors here

People Operations

  1. Recruiting

    All employees undergo pre-employment background checks and must agree to company policies before starting their employment (including confidentiality and security policies).