Real operations, live status, public postmortems.
Everything we tell prospective customers about how OneAce operates — encryption, access control, resilience, incidents — in one place, updated as the system evolves. No NDA required for the summary below.
Headline numbers are commitments and live-system readings, not marketing claims — visit /status for the source-of-truth uptime feed.
The five pillars.
Plain-English summary of what a CISO will see in a security questionnaire. Detail behind each bullet lives in our internal security documentation — available under NDA from sales.
Data protection
Encryption at rest (AES-256) and in transit (TLS 1.3). Per-tenant row-level isolation enforced at the database. Quarterly key rotation cadence.
- AES-256 at rest
- TLS 1.3 in transit
- Tenant row-level isolation
- Quarterly key rotation
Access control
SSO via SAML 2.0 / OIDC, SCIM provisioning, and TOTP 2FA on every Enterprise seat. Capability-based authorization gates every server action.
- SAML 2.0 & OIDC
- SCIM 2.0 provisioning
- Mandatory TOTP 2FA
- Capability-based auth
Audit & logging
Every state-changing action is logged with actor, before/after diff, and request id. Retention defaults to 13 months; Enterprise extends to 7 years with SIEM export.
- Full audit trail
- 13-month retention
- SIEM export (webhook / S3)
- Tamper-evident chain
Resilience
Multi-region active-passive on managed Postgres. Recovery objectives are tested — not assumed. The disaster runbook is published, not stored in a drawer.
- Multi-region failover
- RPO 5m / RTO 45m target
- Quarterly DR drills
- Public runbook
Vendor management
Sub-processor list is public and versioned. Customers receive advance notice on additions, with flow-down DPAs in place for every vendor.
- Public sub-processor list
- 30-day change notice
- Flow-down DPAs
- Annual vendor review
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Vercel | Application hosting & CDN | Request metadata, cached assets | Global edge |
| Neon (Postgres) | Primary database | All customer inventory data | EU-West-2 (London) |
| Stripe | Billing & invoicing | Account & billing contact | USA / EU |
| Resend | Transactional email | Email addresses, message bodies | USA / EU |
| PostHog | Product analytics (no PII) | Anonymized event stream | EU-Central-1 |
| Sentry | Error monitoring | Stack traces, request ids | USA |
| Cloudflare | WAF, DDoS, bot protection | Public request metadata | Global |
When something breaks.
The public status page is updated within 15 minutes of detection. A written postmortem is published within 5 business days for every Sev-2 or worse. Customer communication is the on-call engineer's first job, not a comms-team afterthought.
Trailing 12 months: 0 incidents with customer data impact. Severity-2 events and resolutions are on the right, with full timelines on /status.
Recent incidents · public log
Policies & legal
Trust commitments above are grounded in our written policies — everything OneAce customers sign or rely on is linked here.
Contact the trust team
Security questionnaires, DPA requests, and vulnerability reports route through one inbox. We acknowledge within one business day.
trust@oneace.appsecurity@oneace.app · vuln disclosure