Skip to main content

Security

Your data is safe with us

Security is foundational to everything we build. Here is how we protect your data, our infrastructure, and your trust.

SOC 2 (in progress)

GDPR

TLS 1.3

Need our security documentation or DPA?

Contact our security team

Encryption everywhere

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. API keys are hashed and stored securely. Database backups are encrypted with separate keys managed through a key management service.

Infrastructure security

Our infrastructure runs on cloud providers that hold SOC 2 and ISO 27001 attestations, with multi-region redundancy. We use network segmentation, web application firewalls, and intrusion detection systems. All infrastructure changes go through code review and automated security scanning.

SOC 2 (in progress)

OnChange is actively working toward a SOC 2 Type II attestation. We'll publish the report and make it available under NDA once the audit window closes. In the meantime, our security controls follow the SOC 2 control framework; we're happy to walk prospective Enterprise customers through them.

GDPR compliance

We comply with the General Data Protection Regulation. Data processing agreements are available for all customers. We support data export and deletion requests. Our EU customers' data can be processed in EU regions upon request.

Access control

We enforce the principle of least privilege across our organization. Employee access to production systems requires multi-factor authentication and is logged. Access reviews are conducted quarterly, and access is revoked upon role change or departure.

Monitoring and incident response

We monitor our own systems 24/7 for security anomalies. Our incident response plan includes defined escalation procedures, communication templates, and post-incident reviews. Security incidents are disclosed promptly and transparently.

Secure development

All code changes go through peer review and automated security testing. We run static analysis, dependency vulnerability scanning, and penetration testing on a regular cadence. Our CI/CD pipeline enforces security gates before deployment.

Responsible disclosure

If you discover a security vulnerability in OnChange, we appreciate responsible disclosure. Please email contact@onchange.app with details. We will acknowledge receipt within 24 hours and work with you to understand and resolve the issue. We do not pursue legal action against security researchers acting in good faith.

Contact security team

contact@onchange.app