Security built for compliance,
not bolted on
OnComply handles sensitive vendor data — ACH details, tax IDs, insurance information, signed contracts. The security architecture reflects that.
Your data is encrypted at every layer
Sensitive vendor data is encrypted in transit, at rest, and at the individual field level — so even within our own systems, your most sensitive information is never stored in plain text.
Field-level encryption for sensitive data
Sensitive fields like bank account details, tax IDs, and SSNs are each encrypted individually using industry-standard encryption, the same standard used by banks and government agencies. Even if someone gained access to the database, these fields remain unreadable.
Dedicated encryption keys per tenant
Sensitive data is protected with tenant-scoped envelope encryption backed by AWS KMS. Encryption context and record-bound metadata prevent encrypted values from being decrypted or replayed outside their intended tenant and record scope.
Record-bound encryption
Every encrypted field is cryptographically bound to its specific record. If an encrypted value were moved or copied to a different record, decryption would fail automatically. This is designed to prevent data from being swapped or manipulated.
Encryption in transit
All connections use TLS 1.2 or higher. Plain HTTP connections are rejected entirely. Internal service-to-service communication is also encrypted.
Encrypted document storage
All uploaded documents are encrypted at rest using managed encryption keys. Files are validated for type and integrity before being stored.
Your data is isolated at the database level
Tenant isolation isn't just application logic — it's enforced by the database itself, adding a strong additional layer of protection against cross-tenant data exposure.
Database-enforced tenant isolation
Every database query is automatically scoped to your organization using database-enforced row-level security policies. The database engine enforces data isolation at the query level, adding protection beyond application-level access controls.
Granular role-based access
Five distinct admin roles let you control exactly who can do what: Owner, Admin, Ops, Finance, and Auditor. Each role has carefully scoped permissions — for example, only Finance roles can access payment details, and Auditors get read-only access across the board.
Step-up authentication for sensitive actions
High-risk operations — like viewing full bank account details or downloading exports — require an additional verification step, even if you're already logged in. This protects against unauthorized access from shared or unattended workstations.
Scoped API keys
API keys are limited to specific permissions when created. A key built for single-vendor lookups can't be used to run bulk queries. Keys are securely hashed before storage.
Controlled support access
Our support team cannot access your data without explicit approval. Every support session is time-limited, and all actions taken during the session are recorded in the audit log.
Multiple layers of identity verification
Admin users, vendor portal users, and API integrations each have their own authentication method — designed for how they're actually used.
Managed identity provider
Admin authentication is handled by a dedicated managed identity service. Your credentials are never stored in our application database. Every request is cryptographically verified.
Multi-factor authentication
MFA is required by default for Owner and Finance roles, and can be enforced for any admin user. Verification codes are time-limited and attempt-limited to prevent brute-force attacks.
Session security
Sessions are short-lived and tied to your current credentials. If you change your password, all existing sessions are immediately invalidated across every device.
Vendor portal security
Vendor portal access uses tokens that are validated against the database on every request — checking status, expiration, and permissions. Tokens expire automatically and are single-use for sensitive operations.
Strong password requirements
Passwords must be at least 12 characters with a mix of character types. Common patterns are rejected, and password history is tracked to prevent reuse.
Brute-force protection
All authentication endpoints are rate-limited. Repeated failed attempts are automatically throttled, logged, and flagged.
Defense in depth across the entire platform
Modern security headers, input validation, and injection prevention applied consistently across every endpoint.
Hardened Content Security Policy
All web applications send a Content Security Policy with tightly scoped sources and nonce-based script execution. We continue removing remaining legacy inline styling as the policy is tightened further.
Industry-standard security headers
Every response includes a full suite of security headers: forced HTTPS, clickjacking protection, content type enforcement, and restricted browser permissions for camera, microphone, and location.
Webhook validation
Webhook URLs are validated against known private and internal address ranges before every delivery attempt, preventing server-side request forgery (SSRF) attacks.
SQL injection prevention
All database queries use parameterized inputs. There are no string-built queries anywhere in the codebase — SQL injection is mitigated by design, not just by convention.
Secrets management
No credentials or secrets are stored in application code. All sensitive configuration is loaded from secure environment variables and validated at startup — the application won't start if anything is missing.
Cloud-native, isolated by design
OnComply runs on enterprise-grade cloud infrastructure with strict network isolation between public-facing services, application logic, and data storage.
Container-based workloads
Application services run in managed container orchestration with minimal container images. Each container runs with restricted permissions and resource limits to contain any potential compromise.
Private network architecture
Databases and internal services run in private subnets with no direct internet access. Only the API is publicly reachable, and it sits behind a managed load balancer.
Managed database with automatic failover
The database runs on a managed PostgreSQL service with Multi-AZ high availability, automated backups, point-in-time recovery, and managed failover inside the deployment region.
Managed key infrastructure
Encryption keys are managed through AWS KMS. Key material stays within the service boundary, key usage is logged, and rotation can be managed through KMS controls and platform configuration.
Runtime secrets injection
Application secrets are stored in a managed secrets service and injected at runtime — never hard-coded in configuration files or container images.
A detailed record of everything
Every significant action in OnComply is recorded in an append-only audit log. Once written, entries are protected from modification or deletion at the database level.
Append-only audit log
Audit records are protected at the database level with write-once constraints. This is designed to give you a reliable record for compliance reviews and investigations.
Long-term retention
Audit logs are retained to support common compliance framework requirements. Records are organized for efficient querying and archival.
Comprehensive event coverage
Every meaningful action is logged: vendor status changes, document uploads, validation decisions, contract signings, payment submissions, exports, logins, API usage, and more.
Detailed context for every event
Each audit entry captures who performed the action, what was affected, the type of action, relevant metadata, and where the request originated from.
Vendor lifecycle tracking
Compliance-related events — onboarding, document validation, payment setup, contract execution — are tracked separately, giving you a clean timeline for each vendor's compliance journey.
Exportable audit trail
Export your full audit log or per-vendor audit history at any time. All exports are themselves logged, so you always know who accessed what.
Responsible Disclosure
If you discover a security vulnerability in OnComply, please report it to us at support@oncomply.biz. We will acknowledge your report within 24 hours and work with you to understand and address the issue. We do not pursue legal action against researchers acting in good faith.
Please include a description of the vulnerability, steps to reproduce, potential impact, and any suggested remediation. We will keep you informed throughout the investigation.