Customer data is one of the most valuable assets a company has. That’s why our top priority is delivering a high-performance solution with a focus on keeping our customers’ data safe and their interactions secure.
Cloud-based software is all about providing uninterrupted, reliable service, making information security a major focus for first-rate cloud vendors. Skilled resources, network redundancies, religious data back-ups, stand-by power, up-to-date security, and intrusion detection are mandatory components for an enterprise-class service.
Overview
We provide our services through a secure connection using HTTPS; which is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide high encryption and secure identification of the server.
Availability & continuity
Uptime |
MRI OnLocation maintains a publicly available system status webpage that includes system availability details, scheduled maintenance, service incident history, and relevant security events. |
Redundancy |
OnLocation employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones. |
Disaster Recovery |
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. |
Methodology
Risk Analysis |
OnLocation continually performs risk analysis to achieve the highest level of security. Security concepts and techniques have been integral to our solution’s design right from the beginning and we continue to invest heavily in security improvements for our product, our process, our people, and our technology. OnLocation performs full security audits of our product and infrastructure regularly, including quarterly third-party audits. Our risk assessment process aligns with the OWASP standard. |
Physical security
Facilities |
OnLocation hosts service data in AWS data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC II compliance. AWS infrastructure services include back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. |
On-site security |
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. AWS data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC 2 compliance. |
Monitoring |
All Production Network systems, networked devices, and circuits are constantly monitored and logically administered by OnLocation staff. Physical security, power, and internet connectivity are monitored by AWS. |
Location |
OnLocation leverages AWS data centers in the United States, Europe, and Asia/Pacific. |
Application security
Dedicated Security Team |
Our global Security Team is on call 24/7 to respond to security alerts and events. |
Protection |
Our network is protected through the use of key AWS security services, regular audits, and network intelligence technologies that monitor and/or block malicious traffic and network attacks. |
Architecture |
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. |
Network Vulnerability Scanning |
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. |
Third-Party Penetration Tests |
In addition to our extensive internal scanning and testing program, each year, OnLocation employs third-party security experts to perform a broad penetration test across the OnLocation Production Network. |
Intrusion Detection and Prevention |
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring. |
Threat Intelligence Program |
OnLocation participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on our risk and exposure. |
Logic Access |
Access to the OnLocation Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the OnLocation Production Network are required to use multiple factors of authentication. |
Security Incident Response |
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths |
Access Control |
All access to data within OnLocation is governed by access rights. Every user who attempts to access your OnLocation account is authenticated by username and password. The administrator of your OnLocation instance may define granular access privileges to individual users, and email notifications alert administrators when someone is granted admin access. Our security architecture ensures that each request to OnLocation is accompanied by user identity credentials to ensure segregation of customer data. |
Application Security |
OnLocation maintains a robust application audit log, to include security events such as user logins or configuration changes. Additionally, OnLocation follows secure credential storage best practices by storing passwords using the bcrypt (salted) hash function. |
Encryption
Encryption in Transit |
Communications between you and OnLocation are encrypted via industry best practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails. This ensures that all traffic between you and OnLocation is secure during transit. |
Encryption at Rest |
Customers of OnLocation benefit from the protections of encryption at rest for their data. |
Backups
Backups |
Along with the regular file system snapshots, a full daily backup is taken of all systems and stored as a full point-in-time record. |
Vulnerability management
Vulnerability |
OnLocation and its supporting data security infrastructure are frequently reviewed for potentially harmful vulnerabilities. |
Vulnerability Testing |
OnLocation.com tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:
|
Vulnerability Testing |
If you would like to run your own 3rd-Party Vulnerability Test against OnLocation please send an email to trust@whosonlocation.com (Please note customer-driven and requested vulnerability tests are at the customers cost. |
OnLocation Employees and Agents
Protecting data |
In line with industry best practice for protecting the confidentiality of our Customers' Data, all OnLocation employees and agents agree to our Privacy Policy. Specifically, they agree and understand that Customer Data is the IP of the Customer and shall not be accessed without the prior written consent of the Customer, and/or copied, shared or disseminated to any Party without the prior written consent of the Customer. |
Further help
If you have any questions about the Security Statement, the practices of this website service, or your dealings with us, contact out team using the form, or write to us at:
Attn: Security Statement
MRI OnLocation
P.O. Box 27023
Marion Square
Wellington
New Zealand 6141