Integrity and ethics are the building blocks for OnShift’s approach to information security, and the core of who we are as your software partner.
OnShift is committed to meeting the information security requirements of our customers while maintaining the safety of individuals and protecting their rights to privacy. We are dedicated to staying ahead of cyber security threats and embedding security best practices throughout our software solutions so you can focus on your staff, residents, and communities.
Information security isn’t just a concept for us – it’s an essential part of OnShift’s leadership and culture. Every department at OnShift makes information security a top priority, and dedicates resources to maintaining and improving the security posture of our software.
Everyone who works at OnShift, from intern to executive, receives mandatory information security and data protection training when hired and participate in our ongoing Security Education Training and Awareness program. We require confidentiality and nondisclosure agreements from all those who work for OnShift, both during and after employment.
SecurityScorecard gave OnShift perfect scores in endpoint security and application security. See the full report here.
Through policies, audits, and our company code of conduct, OnShift enforces software security and customer data protection.
We take a risk-based approach to information security aligned with ISO 27001, NIST SP 800-37 and NIST CSF. These standards include widely-adopted industry best practices for enterprise risk management and digital information security.
OnShift is SOC1 and SOC2 compliant. These auditing procedures provide third-party validation of OnShift’s information security and data management practices. We are audited annually to maintain this compliance, and track regional security requirements to continually improve our information security posture. The OnShift platform is penetration tested by a specialist third-party firm at least once a year. Additionally, OnShift’s Security Team performs penetration tests against all products monthly to ensure potential vulnerabilities are mitigated promptly.
The Principle of Least Privilege (POLP) is part of our policy and culture. Access to data is granted on a need-to-know or need-to-use basis only, and access is revoked when it is no longer required. We conduct user access audits and review administrative logs regularly. All OnShift employees are required to follow a password standard policy and use multi-factor authentication to access company data.
OnShift mandates and enforces the separation of development, testing, and production environments to improve code quality and reduce errors. All development activity follows OnShift's secure software delivery lifecycle. Multiple security gates and security testing against industry standards (such as OWASP) are part of the software deployment process. OnShift uses minimal outsourced development work. We apply additional controls to manage risks of code produced by third parties.
Incident management is ingrained in our company culture through regular communication and corporate policy. We have dedicated roles and documented procedures for responding to incidents as and when they occur.
OnShift utilizes AWS and Azure highly-protected data centers for hosting our SaaS platforms. We monitor and restrict office access, and employ controls to protect assets that are off-premises.