Security & Privacy at OnShift

Integrity and ethics are the building blocks for OnShift’s approach to information security, and the core of who we are as your software partner.

Our Commitment

OnShift is committed to meeting the information security requirements of our customers while maintaining the safety of individuals and protecting their rights to privacy. We are dedicated to staying ahead of cyber security threats and embedding security best practices throughout our software solutions so you can focus on your staff, residents, and communities.

Organizational Security

Information security isn’t just a concept for us – it’s an essential part of OnShift’s leadership and culture. Every department at OnShift makes information security a top priority, and dedicates resources to maintaining and improving the security posture of our software.

Everyone who works at OnShift, from intern to executive, receives mandatory information security and data protection training when hired and participate in our ongoing Security Education Training and Awareness program. We require confidentiality and nondisclosure agreements from all those who work for OnShift, both during and after employment.

Grade A Cybersecurity

SecurityScorecard gave OnShift perfect scores in endpoint security and application security. See the full report here.

Our Policies

Through policies, audits, and our company code of conduct, OnShift enforces software security and customer data protection.

Governance

We take a risk-based approach to information security aligned with ISO 27001, NIST SP 800-37 and NIST CSF. These standards include widely-adopted industry best practices for enterprise risk management and digital information security.

Compliance

OnShift is SOC1 and SOC2 compliant. These auditing procedures provide third-party validation of OnShift’s information security and data management practices. We are audited annually to maintain this compliance, and track regional security requirements to continually improve our information security posture. The OnShift platform is penetration tested by a specialist third-party firm at least once a year. Additionally, OnShift’s Security Team performs penetration tests against all products monthly to ensure potential vulnerabilities are mitigated promptly.

Access Management

The Principle of Least Privilege (POLP) is part of our policy and culture. Access to data is granted on a need-to-know or need-to-use basis only, and access is revoked when it is no longer required. We conduct user access audits and review administrative logs regularly. All OnShift employees are required to follow a password standard policy and use multi-factor authentication to access company data.

Development

OnShift mandates and enforces the separation of development, testing, and production environments to improve code quality and reduce errors. All development activity follows OnShift's secure software delivery lifecycle. Multiple security gates and security testing against industry standards (such as OWASP) are part of the software deployment process. OnShift uses minimal outsourced development work. We apply additional controls to manage risks of code produced by third parties.

Incident Management

Incident management is ingrained in our company culture through regular communication and corporate policy. We have dedicated roles and documented procedures for responding to incidents as and when they occur.

Physical Security

OnShift utilizes AWS and Azure highly-protected data centers for hosting our SaaS platforms. We monitor and restrict office access, and employ controls to protect assets that are off-premises.

"Everyone at OnShift understands how security fits into their day-to-day responsibilities. Governance is baked into everything we do, from employee access to software updates, so our customers can enjoy our platform with confidence that their data is safe and secure."

John Regal

OnShift CIO