Is Ox SOC 2 certified?
Ox has security controls in place to receive a SOC 2 Type II certificate. We anticipate a formal third party review being completed in 2023. Compliance is monitored through Vanta.
How does Ox classify its data?
To help Ox and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.
Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Example include: Customer Data Personally identifiable information (PII) Company financial and banking data Salary, compensation and payroll information Strategic plans Incident reports Risk assessment reports Technical vulnerability reports Authentication credentials Secrets and private keys Source code Litigation data
Ox. proprietary information requiring thorough protection; access is restricted to employees with a "need-to-know" based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include: Internal policies Legal documents Meeting minutes and internal presentations Contracts Internal reports Slack messages Email
Documents intended for public consumption which can be freely distributed outside Ox. Examples include: Marketing materials Product descriptions Release notes External facing policies
How can I access my data?
Please submit a request through email@example.com.
Does Ox assess the security and privacy practices of all third-party companies with access to customer data?
Ox is committed to keeping our customers' data safe and secure, and we want to make sure that our partners and vendors do, too. We request and review SOC 2 type II reports from vendors which store or access customer data.
How do you handle data, application, infrastructure security?
Ox encrypts all data in transit and at rest. Access to production data must be approved by management and is reviewed regularly.
Annual penetration testing and remediation practices are conducted to identify and remove vulnerabilities.
Vulnerability scans are performed continuously and findings are patched in accordance with their severity levels. Network and system hardening standards are maintained and implemented. Intrusion detection systems are utilized.
For more questions, please contact firstname.lastname@example.org.