Skip to main content

Security

Your data is safe with us

Security is foundational to everything we build. Here is how we protect your data, our infrastructure, and your trust.

SOC 2 Type II

GDPR

TLS 1.3

Need our SOC 2 report or DPA?

Contact our security team

Encryption everywhere

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. API keys are hashed and stored securely. Database backups are encrypted with separate keys managed through a key management service.

Infrastructure security

Our infrastructure runs on SOC 2 certified cloud providers with multi-region redundancy. We use network segmentation, web application firewalls, and intrusion detection systems. All infrastructure changes go through code review and automated security scanning.

SOC 2 Type II certified

OnChange has completed SOC 2 Type II certification, which verifies our security controls are designed and operating effectively over time. Our audit report is available to customers and prospects under NDA.

GDPR compliance

We comply with the General Data Protection Regulation. Data processing agreements are available for all customers. We support data export and deletion requests. Our EU customers' data can be processed in EU regions upon request.

Access control

We enforce the principle of least privilege across our organization. Employee access to production systems requires multi-factor authentication and is logged. Access reviews are conducted quarterly, and access is revoked upon role change or departure.

Monitoring and incident response

We monitor our own systems 24/7 for security anomalies. Our incident response plan includes defined escalation procedures, communication templates, and post-incident reviews. Security incidents are disclosed promptly and transparently.

Secure development

All code changes go through peer review and automated security testing. We run static analysis, dependency vulnerability scanning, and penetration testing on a regular cadence. Our CI/CD pipeline enforces security gates before deployment.

Responsible disclosure

If you discover a security vulnerability in OnChange, we appreciate responsible disclosure. Please email contact@sairo.app with details. We will acknowledge receipt within 24 hours and work with you to understand and resolve the issue. We do not pursue legal action against security researchers acting in good faith.

Contact security team

contact@sairo.app