OneLogin Compliance Commitment

A SOC 3 report is a general use report of the SOC 2 reports which covers how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. These reports are issued by independent third party auditors covering the principles of Security, Availability, Confidentiality, and Privacy.

What’s the primary purpose of this initiative?

Provides an independent assessment of OneLogin’s security and privacy control environment. The assessment is designed to meet the needs of users who require assurance about the controls at a service organization.

What’s the scope?

The OneLogin’s SOC 3 scope is the same as our SOC 2 Type which covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy.

How often are you evaluated/audited?

Audits are performed annually.

Who is the primary audience?

Customers and relevant third parties with a business need.

A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. These reports are issued by independent third party auditors covering the principles of Security, Availability, Confidentiality, and Privacy.

What’s the primary purpose of this initiative?

Provides an independent assessment of OneLogin’s security and privacy control environment. The assessment includes a description of the controls, the tests performed to assess them, the results of these tests, and an overall opinion on the design and operational effectiveness of the same.

What’s the scope?

OneLogin’s SOC 2 Type 2 Report covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy. The report also includes a mapping of the controls tested to ISO/IEC 27001:2013 Annex A / ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, HIPAA security requirements, and FFIEC’s examination guidelines for GLBA Information Security.

How often are you evaluated/audited?

Audits are performed annually.

Who is the primary audience?

Customers and relevant third parties with a business need.

A SOC 1 Type 2 report is an internal controls report specifically intended to meet the needs of the OneLogin customers’ management and their auditors, as they evaluate the effect of the OneLogin controls on their own internal controls for financial reporting. The OneLogin SOC 1 report examination was performed in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 and the International Standard on Assurance Engagements (ISAE) No. 3402, therefore it can be used by our customers and their auditors both the US and abroad. These reports are issued by independent third party auditors periodically.

What’s the primary purpose of this initiative?

Provide an independent assessment of OneLogin internal controls that are relevant to customers’ internal controls over financial reporting. The assessment includes a description of the controls, the tests performed to assess them, the results of these tests, and an overall opinion on the design and operational effectiveness of the same.

What’s the scope?

OneLogin’s SOC 1 Type 2 Report covers internal controls in the areas of risk management, logical access, change management, data security, and data availability.

How often are you evaluated/audited?

Audits are performed annually.

Who is the primary audience?

Customers and their auditors.

Is there an ISAE 3402 Report?

The SOC 1 report follows both SSAE 16 and ISAE 3402 standards, so there is no need to issue a separate report.

The ISO 27018:2019 standard provides guidance to cloud service providers acting as data processors in the form of objectives, controls, and guidelines. OneLogin aligned its existing privacy controls to be compliant to this standard in order to augment its privacy program. These controls are tested as part of the periodic SOC 2 Type 2 report and an independent body has audited our compliance with this standard as part of our ISO 27001:2013 certificate annual audits.

What’s the primary purpose of this initiative?

The ISO 27018:2019 standard provides guidance to cloud service providers acting as data processors in the form of objectives, controls, and guidelines. Alignment with this standard provides additional assurance of the adequacy of OneLogin’s Privacy Program.

What’s the scope?

OneLogin’s Privacy Program and its alignment with recommended objectives, control, and guidelines.

How often are you evaluated/audited?

The ISO 27018:2019 controls are tested as part of the periodic SOC 2 Type 2 Report Audits and our ISO 27001:2013 Certification audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

The ISO 27017:2015 standard provides guidance to both cloud service providers and consumers of these services in the form of objectives, controls, and guidelines. OneLogin aligned its existing security controls to be compliant to this standard in order to augment its security program. These controls are tested as part of the periodic SOC 2 Type 2 report and an independent body has audited our compliance with this standard as part of our ISO 27001:2013 certificate annual audits.

What’s the primary purpose of this initiative?

The ISO 27017:2015 standard provides guidance to both cloud service providers and consumers of these services in the form of objectives, controls, and guidelines. Alignment with this standard provides additional assurance of the adequacy of OneLogin’s Security Program.

What’s the scope?

OneLogin’s Security Program and its alignment with recommended objectives, control, and guidelines.

How often are you evaluated/audited?

The ISO 27017:2015 controls are tested as part of the periodic SOC 2 Type 2 Report Audits and our ISO 27001:2013 Certification audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud services based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

What’s the primary purpose of this initiative?

Provide an objective evaluation of OneLogin’s security capabilities based on criteria developed in conjunction with the Cloud Security Alliance.

What’s the scope?

OneLogin’s security controls evaluated against a specific set of criteria developed by Skyhigh Networks in conjunction with the Cloud Security Alliance.

How often are you evaluated/audited?

An evaluation is performed periodically at Skyhigh Network’s discretion and when changes are submitted by OneLogin.

Who is the primary audience?

Customers and relevant third parties with a business need.

OneLogin welcomes the GDPR as an important and necessary evolution in the data protection laws across the EU. OneLogin’s privacy and security program meets and exceeds the highest standards in the industry, including compliance with the GDPR.

The new General Data Protection Regulation (“GDPR”), which replaces the European Commission’s Data Protection Directive, goes into effect on May 25, 2018. Its goal is to unify European Union (EU) privacy regulations and better protect EU citizen personal data both within the EU and outside the EU. As a data processor and controller, OneLogin has verified that we meet all GDPR requirements and we will continue to actively uphold GDPR compliance. We are also providing resources and documentation to support our customers in their roles as data controllers.

At OneLogin, ensuring that all customer data is handled securely and responsibly is our number one priority. Here is an overview of what to expect from GDPR, how we are complying with this new regulation, and how we are empowering customers to comply.

What is the purpose of GDPR?

GDPR is a comprehensive data protection law that serves two purposes:

1. Protect individual’s data: GDPR gives control over personal data back to the EU residents and prohibits organizations from exploiting that data.

2. Guidelines for Organizations: GDPR makes data protection law identical throughout the single market. It provides businesses with simpler legal guidelines, which can be more easily enforced by government bodies.

Who does GDPR apply to?

GDPR applies to any organization operating within the EU, as well as organizations that offer goods or services to customers or businesses in the EU. This broadens the scope of protection of EU residents for improved privacy control.

How will GDPR affect me?

If you are a resident of the EU, congratulations! The European Union is taking steps to ensure that your data is used safely and appropriately.

If your organization provides services within the EU, you will need to be compliant with GDPR. This will impact the way that you store, process, and utilize user data in a number of ways. See this overview of key changes introduced by GDPR as it replaces the European Commission’s Data Protection Directive.

Right to access and portability: Users can request confirmation as to whether their personal data is being processed, where and for what purpose. Further, the data controller is required to provide a copy of the personal data, free of charge, in an electronic format.

Breach notification requirement: Breaches, which are likely to “result in a risk for the rights and freedoms of individuals”, must be reported within 72 hours of first having become aware of the breach.

Privacy by design:Companies must take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process. Companies must also take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process.

Right to be forgotten: Companies must allow users to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

This is not an exhaustive list. But fail to meet any of these requirements, and you may be fined up to 4% of your annual growth turnover, or €20 million.

What steps is OneLogin taking to be GDPR compliant?

OneLogin is a global organization that both processes and controls data from around the world, including the EU. Our existing certifications and long-standing commitment to privacy frameworks prepare us for GDPR in many ways.

• To meet GDPR requirements, organizations are required to articulate data flows, and demonstrate how privacy is controlled and maintained. Our “Blank Page” approach to redrawing our data flows and building out very detailed data mapping diagrams helps us to achieve this.

• Updated Standard MSA and Data Processing Agreement: Organizations are also required to update their contractual language to reflect the additional accountability required by GDPR. To this end, OneLogin leverages data breach notification language, uses subcontractors, and communicates responsibilities to our own data processing vendors.

• Data Protection Officer: OneLogin utilizes an independent external consultant based in the EU to serve as our DPO.

How is OneLogin helping customers to be compliant?

OneLogin is dedicated to empowering customers with the resources they need to comply with GDPR. Here’s how:

Right to access and portability

• IT administrators can easily find a user in the system and print out their information as stored in any of the user directories.
• User privileges and role assignments in OneLogin indicate where the user’s metadata is used (i.e. all applications they have access to.)

Breach notification requirement

• OneLogin’s event streaming service can help identify breach attempts much faster when correlated with additional enterprise security events.
• Following the identification of a potential breach, administrators can use OneLogin’s event dashboard and reporting tool in order to investigate further.

Right to be forgotten

• OneLogin allows for the automated deprovisioning of users from other systems and external applications.
• Admins can delete users immediately to meet both privacy and enterprise security requirements.
• Admins can also manually audit provisioned apps.

Privacy by design: OneLogin is a trusted partner
Privacy by design is a particularly challenging requirement, but as a vendor we are well-prepared for it.

• The OneLogin service has always handled information that must be protected; whether due to privacy regulations, credit card industry regulation, its designation as shared secrets, or several other data protection requirements.
• OneLogin incorporates privacy impact assessments that are performed periodically and as part of the design process for new features.

Privacy by design: A better architecture with OneLogin
Especially if you are an architect in IT or engineering, you might be thinking not only about your third parties’ compliance, but the compliance challenges in your own systems. Consider the advantages of building your integrations on top of OneLogin’s platform.

Many of the compliance challenges are the result of older architectures that allow for limited control over how data is stored, managed, and processed. For example, it used to be very common for legacy applications to access the corporate directory directly. This meant they typically had access to all user information with few restrictions on what they modify, cache or store.

We have come a long way since.

To understand how, let’s start with some essentials. The core of OneLogin’s identity platform is modern protocols, including SAML, OpenID Connect and SCIM. These modern protocols use secure tokens, security assertions and automated provisioning.

• Secure tokens: The user never signs-in to an app directly. Instead, the user always signs-in securely using a Single Sign-On (SSO) portal. Any trusted app can receive a secure token that represents the user.
• Security assertions: Identity information (e.g. user name, employee ID) is digitally signed by a trusted party, specifically an identity provider.
• Automated provisioning/deprovisioning: When a user is granted access to an application, their relevant metadata is pushed to the app. Similarly, when a user’s access is revoked, their relevant metadata is deleted from the app.

OneLogin’s Identity Platform enables you to leverage modern protocols for virtually any public cloud or private/custom app.

Advantages:

• Applications do not authenticate users directly, which means better security and privacy.
• Applications do not have direct access to the corporate directory for read/write to the entire user base.
• Applications get only the user metadata they need — only for users with access to the app, and user’s access can even be anonymous.
• Applications can get role/privilege information without direct access to the user’s information.

You can learn more about how we are embracing GDPR by reviewing our privacy policy.

If you have questions or need more information please email privacy@onelogin.com.

The EU Model Contract Clauses are designed to facilitate transfers of personal data from the European Economic Area (EEA) to other countries, while providing appropriate safeguards for the protection of personal data. These clauses are part of our Data Processing Addendum and offer an alternative means of fulfilling adequacy requirements, and therefore are an alternative to the US Privacy Shield Framework or Binding Corporate Rules.

What’s the primary purpose of this initiative?

Provide a mechanism for customers in the EEA, who are considered the data controllers, to work with OneLogin, the data processor, and mutually agreeing to the transfer personal data outside of the EEA only under the proper safeguards and in compliance with EU data protection law.

What’s the scope?

The model contract clauses are standard for all data processing providers and document the provider’s commitment to abide by the EU data protection law.

How often are you evaluated/audited?

EU model contract clauses are executed on an as needed basis

Who is the primary audience?

Customers who are going to be transferring EEA personal data to OneLogin.

Application penetration tests are performed by independent third parties on a quarterly basis. The objective of these tests is to help ensure we discover potential security vulnerabilities in our app and are steering clear of the OWASP Top 10 and the SANS Top 25. Testers are granted access to their own OneLogin account and the underlying source code and we alternate the vendors that we use. We perform ad hoc pen tests, as needed, when rolling out significant features or functionality that might not be covered by the periodic tests.

What’s the primary purpose of this initiative?

Penetration tests help OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.

What’s the scope?

The core app is covered during every assessment and additional services including mobile apps and browser extensions are focus areas on a rotational basis.

How often are you evaluated/audited?

Third party penetration tests are performed on a Annually basis.

Who is the primary audience?

OneLogin - internal use only

Network vulnerability scans are performed using a PCI ASV (Approved Scanning Vendor) solution on a quarterly basis. These scans are performed internally and externally as part of PCI requirements. Monitoring tools are also used to verify whether OneLogin systems are susceptible to emerging vulnerabilities by scanning the software packages installed on each system.

What’s the primary purpose of this initiative?

Network vulnerability scans help OneLogin identify vulnerabilities and misconfigurations of websites, applications, and information technology infrastructures.

What’s the scope?

Internal and external scans of the network environment.

How often are you evaluated/audited?

Network scans are performed on a quarterly basis and monitoring tools report ad hoc on emerging vulnerabilities.

Who is the primary audience?

OneLogin - internal use only

Bug bounty programs provide another vehicle for organizations to discover vulnerabilities in their systems by tapping into a large network of global security researchers that are incentivized to responsibly disclose security bugs via a reward system. Operationally, the end results are very similar to a vendor-performed penetration test, but the number of researchers searching for bugs is much higher and not timeboxed, unlike a typical penetration test exercise.

What’s the primary purpose of this initiative?

Similar to our scheduled penetration tests, the bug bounty program helps OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.

How often are you evaluated/audited?

Ongoing program.

Who is the primary audience?

OneLogin - internal use only

The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to protect the security, confidentiality, and integrity of such information. The Federal Financial institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. OneLogin does not store consumer financial information, but has mapped its controls framework to FFIEC guidelines to validate that we are able to comply with GLBA if the need arose. This control framework is tested as part of the SOC 2 Type 2 reports.

What’s the primary purpose of this initiative?

Validate that OneLogin would be able to comply with FFIEC guidelines designed per GLBA requirements to protect consumer financial information.

What’s the scope?

OneLogin’s security controls evaluated against the FFIEC guidelines for testing compliance with GLBA.

How often are you evaluated/audited?

The security controls aligned with FFIEC guidelines for the testing GLBA requirements are tested as part of the periodic SOC 2 Type 2 Report Audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

The National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) in response to Executive Order 13636. The framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. OneLogin aligned its existing security controls to be compliant with this framework in order to augment its security program. These controls are tested as part of the periodic SOC 2 Type 2 report.

What’s the primary purpose of this initiative?

Provide an additional reference point for developing and maintaining OneLogin’s Security Program.

What’s the scope?

The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

How often are you evaluated/audited?

The security controls aligned with the NIST Cybersecurity Framework’s Framework Core are tested as part of the periodic SOC 2 Type 2 Report Audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

UK public sector organizations and arm’s length bodies can use the Digital Marketplace to buy cloud-based services. In order to do so, suppliers must agree to and abide by the G-Cloud framework and OneLogin participates in this program.

What’s the primary purpose of this initiative?

Provide OneLogin service data to UK public sector organizations and arm’s length bodies according to G-Cloud framework requirements.

What’s the scope?

The G-Cloud framework requires a supplier declaration which contains standard data elements that enable organizations to evaluate suppliers based on the same criteria. Data elements include information on the support of open standards, onboarding and offboaring, provisioning, data storage, asset protection and resilience, vulnerability management, and incident management, among others.

How often are you evaluated/audited?

Each G-Cloud framework iteration typically lasts for 12 month periods, at which point a new iteration is created and suppliers must submit a new declaration based on that iteration’s requirements.

Who is the primary audience?

UK public sector organizations and arm’s length bodies.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards.

What’s the primary purpose of this initiative?

The PCI Data Security Standards help protect the safety of that data. They set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

What’s the scope?

OneLogin is a PCI Level 4 Merchant and has completed the Payment Card Industry Data Security Standard’s SAQ-A. We use a third party to process credit card information securely.

How often are you evaluated/audited?

Audit is performed annually by a QSA.

Who is the primary audience?

Customers and relevant third parties with a business need.