Last updated: 2024-03-19
The privacy of our customers and the security of any data you create using our tools are of utmost priority to us. From our operations procedures, to the engineering processes and tools, or the way we share information with employees and external services: everything we do, we constantly monitor and improve our processes from a security standpoint.
This document highlights the different layers of protection we work on as part of OmnibusX's architecture to ensure your data stays yours.
Passwords are one-way encrypted in the database using the ‘bcrypt’ algorithm, which is the state-of-the-art protection against brute force attacks or attack with rainbow tables. Login credentials are, like all communication with our systems, always sent over encrypted connections. No passwords are ever logged on our systems. To learn more about the privacy policy of our partners, please see: https://www.okta.com/privacy-policy/.
Your full credit card information is never seen by, nor stored on, OmnibusX's systems at any time. Only our billing & invoicing service, as well as the selected payment processing gateway, Paypal, will ever be able to see and store your cardholder data to make recurring transactions. To protect our customers' data, we only work with partners that have been audited by a PCI-certified auditor and are certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To learn more about the PCI compliance of our partners, please see: https://www.paypal.com/us/security.
Depending on how you are using OmnibusX, there are multiple options for where you can store your data:
This version of the application is designed for use by individual users on their desktop or laptop computers. If you are using this standalone version for Windows, Mac, or Linux, newly created datasets are stored locally on your machine only. When using the desktop application and working with OmnibusX files (.obx), your data will never be transmitted to OmnibusX's cloud systems at any circumstances.
Alternatively to using local storage for dataset storage, the Omnibusx desktop application allows you to connect to third-party cloud storage providers like Box, Dropbox, Google Drive, and Microsoft OneDrive. When using any of these storage providers in conjunction with the OmnibusX desktop application, all the data related to the datasets you create are stored on the third-party's system.
This version of the application is designed for use by institutions or companies who want to host the application on their own private servers. In this case, all data is stored on the servers of the institution or company using the application. The institution or company is responsible for the security of the data stored on their servers. OmnibusX provides support for the installation and maintenance of the application on these servers, but does not have access to the data stored on them.
This version of the application is hosted on the OmnibusX's cloud server and is available for data sharing between users who sign up for an account in our community. In this case, all data is stored on OmnibusX's cloud servers. The data is encrypted and stored in a secure manner. OmnibusX has implemented a number of security measures to protect the data stored on its servers. These measures are described in the following sections.
All your data is stored in highly secure data centers in Singapore, run by Amazon Web Services (AWS). Data center access is limited to a few selected technicians and not even possible for OmnibusX staff. AWS' data centers are equipped with state-of-the-art fire suppression, power and climate controls.
The physical data center security is audited by EY (see AWS SOC3 Report). Furthermore, AWS is, among others, certified and/or compliant to the following certifications, programs and attestations: CJIS, DoD SRG Levels 2 and 4, ISO 9001, ISO 27001, ISO 27018.
For more information regarding the security measures Amazon takes, please consult the AWS security center at https://aws.amazon.com/security/
OmnibusX's architecture is based on AWS' world-class network infrastructure that is carefully monitored and managed. Among others, the AWS network implements the following security features:
A certified DDos mitigation system is used to ensure that your data stays accessible to you under all circumstances.
All core components are deployed in a load-balancing failover configuration. In case of failure, automated processes move your data away from the affected systems.
The network security-level certificates applicable here are: Cyber Essentials ‘Plus’ badge, FIPS 140-2, ISO 9001+27001+27018, MTCS Tier 3.
OmnibusX's systems utilize highly customized versions of the XEN and KVM hypervisors, enabling paravirtualization for Linux hosts. Paravirtualization enables strict instance isolation and provides a higher security separation between instances on the same hardware. A firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface, providing maximum protection against attacks from inside the network.
As hypervisor guest systems, patched and hardened versions of the Linux operating system are used for the application, web, and database servers. Administrative access to these systems is only possible using public key authentication. All outside communication of these systems, as well as internal communication between those systems, is encrypted using transport-level security at all times.
At OmnibusX, we do a regular evaluation of our application against the most critical web application security risks, a list that is published and kept up-to-date by the Open Web Application Security Project (OWASP) Foundation. The current list of measures contains protection against: Code/SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE) attacks, Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring.
Being a SaaS product, OmnibusX's cloud environment is a multi-tenant solution with all customers sharing the same application, web, database, and storage server instances on the same physical infrastructure.
Access to all user data is safeguarded by the use of an access control list (ACL) implementation as part of the application server layer. Like the rest of the product, this software component is part of the regular evaluation against the OWASP security risks and is continuously tested for regressions using unit tests, integration tests, and end-to-end tests.
Per default, all datasets and folders created by our paying users are visible to their owner alone. Granting rights to view, modify, delete, or even discover (knowing a dataset exists at a specific URL) dataset to other users is only possible by the original owner of that document or folder.
OmnibusX makes use of the following Relational Database Service features to ensure data security at all costs: Multi-AZ hosting is used for the application, web, and database layers to protect against complete data center outages. OmnibusX database instances are automatically software patched by RDS and isolated against other database instances using the same purposes described above.
Automatic database snapshots are taken and stored securely in AWS' block storage system for a maximum of seven days to allow for rolling back in case of software or configuration errors. Access to these backups is restricted to OmnibusX management only.
A comprehensive audit log (login/access/update events) is stored externally from our services for 90 days to provide detailed access information for data theft or sabotage investigations.
All data exchanged with OmnibusX is always transmitted over TLS using only state-of-the-art, secure SSL encryption ciphers. This is also true for the communication between different machines inside our network. OmnibusX makes use of HTTP Strict Transport Security to protect against protocol downgrade and cookie hijacking attacks. Our software takes active measures against known web application vulnerabilities, like cross-site scripting and cross-site request forgery.
No OmnibusX employee will ever access your data unless required for support reasons. All employees are bound by strict confidentiality agreements and are only granted access to customer data on a need-to-know basis. Support staff does not have the ability to sign into your account, edit your documents, or even view your documents if they are marked as private.
Do you have questions or comments about OmnibusX security? Please get in touch with your representative or reach out to us at support@omnibusx.com.