Security statement

Updated July 2022

Customer data is one of the most valuable assets a company has. That’s why our top priority is delivering a high-performance solution with a focus on keeping our customers’ data safe and their interactions secure.

Cloud-based software is all about providing uninterrupted, reliable service, making information security a major focus for first-rate cloud vendors. Skilled resources, network redundancies, religious data back-ups, stand-by power, up-to-date security, and intrusion detection are mandatory components for an enterprise-class service.

Overview

We provide our services through a secure connection using HTTPS; which is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide high encryption and secure identification of the server.  

Availability & continuity

Uptime

MRI OnLocation maintains a publicly available system status webpage that includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Redundancy

OnLocation employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Methodology

Risk Analysis

OnLocation continually performs risk analysis to achieve the highest level of security. Security concepts and techniques have been integral to our solution’s design right from the beginning and we continue to invest heavily in security improvements for our product, our process, our people, and our technology.

OnLocation performs full security audits of our product and infrastructure regularly, including quarterly third-party audits. Our risk assessment process aligns with the OWASP standard.

Physical security

Facilities

OnLocation hosts service data in AWS data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC II compliance.

AWS infrastructure services include back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.

On-site security

AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. AWS data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC 2 compliance. 

Learn more about AWS physical security.

Monitoring

All Production Network systems, networked devices, and circuits are constantly monitored and logically administered by OnLocation staff. Physical security, power, and internet connectivity are monitored by AWS.

Location

OnLocation leverages AWS data centers in the United States, Europe, and Asia/Pacific.

Application security

Dedicated Security Team

Our global Security Team is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key AWS security services, regular audits, and network intelligence technologies that monitor and/or block malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. 

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing program, each year, OnLocation employs third-party security experts to perform a broad penetration test across the OnLocation Production Network. 

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program

OnLocation participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on our risk and exposure.

Logic Access

Access to the OnLocation Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the OnLocation Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths

Access Control

All access to data within OnLocation is governed by access rights. Every user who attempts to access your OnLocation account is authenticated by username and password. The administrator of your OnLocation instance may define granular access privileges to individual users, and email notifications alert administrators when someone is granted admin access.

Our security architecture ensures that each request to OnLocation is accompanied by user identity credentials to ensure segregation of customer data.

Application Security

OnLocation maintains a robust application audit log, to include security events such as user logins or configuration changes. Additionally, OnLocation follows secure credential storage best practices by storing passwords using the bcrypt (salted) hash function.

Encryption

Encryption in Transit

Communications between you and OnLocation are encrypted via industry best practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails. This ensures that all traffic between you and OnLocation is secure during transit.

Encryption at Rest

Customers of OnLocation benefit from the protections of encryption at rest for their data. 

Backups

Backups

Along with the regular file system snapshots, a full daily backup is taken of all systems and stored as a full point-in-time record. 

Vulnerability management

Vulnerability

OnLocation and its supporting data security infrastructure are frequently reviewed for potentially harmful vulnerabilities. 

Vulnerability Testing

OnLocation.com tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework review and testing

Vulnerability Testing

If you would like to run your own 3rd-Party Vulnerability Test against OnLocation please send an email to trust@whosonlocation.com (Please note customer-driven and requested vulnerability tests are at the customers cost.

OnLocation Employees and Agents

Protecting data

In line with industry best practice for protecting the confidentiality of our Customers' Data, all OnLocation employees and agents agree to our Privacy Policy. Specifically, they agree and understand that Customer Data is the IP of the Customer and shall not be accessed without the prior written consent of the Customer, and/or copied, shared or disseminated to any Party without the prior written consent of the Customer.

Further help

If you have any questions about the Security Statement, the practices of this website service, or your dealings with us, contact out team using the form, or write to us at: 

Attn: Security Statement
MRI OnLocation
P.O. Box 27023
Marion Square
Wellington
New Zealand 6141