Onramp Invest Security Statement
Onramp Invest is committed to state-of-the-art security and provides regular updates to ensure that all partners and users are fully informed. Ensuring a safe and secure ecosystem entails that our colleagues understand security and adhere to Onramp policies, that our systems and tools are designed to be secure and that Onramp monitors adherence to these processes and procedures.
All Onramp Invest employees are required to sign a code of conduct and confidentiality agreement that governs their behavior. Additionally, Onramp Invest, with the employee’s permission, conducts background checks on all employees.
Personnel Security Training
All Onramp Invest employees are required to train on best practices security policies. The training is conducted for the entire team at least once per year and for all new employees.
Onramp Invest defines information security roles and responsibilities. The security team focuses on information security, security auditing and compliance, as well as defining the security controls for protection of Onramp Invest’s infrastructure, data and software products. Onramp Invest has a robust set of processes and procedures to provide guidance to ensure that the ecosystem is secure and robust. Onramp Invest has a Site Reliability Engineering team that includes process engineers to provide processes and monitoring to ensure compliance. Onramp is engaged with SOC 2 teams for SOC 2 compliance and auditing.
Onramp Invest qualifies all tools that are used within the Onramp Invest ecosystem. Onramp will use tools and services that come from reputable vendors that can show adherence to approved security processes (SOC 2, ISO 27001, NIST, etc). Onramp will also use tools that come from unknown provenance (SOUP) only after the correct policies have been utilized to ensure that the tools are secure and required.
Authentication and Authorization
All Onramp Invest employees are onboarded according to our internal processes. This ensures that a limited set of default permissions are provided to access company resources (email, corporate intranet, etc).
User Access Management
Onramp Invest employs a policy of Least Privilege Access Control. Onramp Invest’s roles are defined with respect to necessary access privileges to conduct the responsibilities of a given role. Employees have the least number of privileges required to do their job. Requests for additional access follow a formal process that involves a request and an approval from their manager or other appropriate executive as defined by our security guidelines. Processes and procedures are in place for employees that leave the organization. User access is audited quarterly.
Physical & Environmental Security
Onramp Invest hosts all of its services within Amazon’s AWS infrastructure in secure data centers that ensure that physical access is stringently guarded. Amazon AWS ensures rigorous, enterprise level security protections to ensure that your data is always secure. AWS operates extremely secure data centers with strict physical security measures, including 24×7 security guards, electronic key systems, biometric access, and CCTV.
Onramp Invest has its primary office located in San Diego California. The office is secured with electronic key systems and all devices automatically lock after a predetermined timed interval.
Onramp maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment changes) are tracked and implemented. All key business owners such as Technical Support, Engineering, DevOps, Security, and SaaS Operations are represented for any change management meeting. All deployments into production or change to the production environment must be approved by the change management meeting team prior to implementation.
All critical decisions must be approved by the Onramp Invest CTO.
Auditing and Logging
Onramp Invest maintains audit logs on key systems to determine user access. Access to our auditing and logging tool is controlled by limiting access to authorized individuals. Security events are logged, monitored, and addressed by trained security team members. Executives are updated on any urgent security events and a weekly security summary is sent to all executives to provide visibility.
Onramp Invest has backup policies and procedures for performing the backup and restoration of data. Periodic tests are conducted to test whether data can be safely recovered from backup locations.
Our AWS servers reside behind several layers of high-availability firewalls and reverse proxies that prevent various network security threats. These tools are constantly monitored for the detection of any network security threats. Firewalls are also utilized to help restrict access to systems from external networks and between systems internally. Access to all devices is, by default denied, and only instantiated as required and with the correct white listing to limit to appropriate traffic. All of our infrastructure is managed by a DevSecOps tool to ensure security compliance.
The OWASP Zed Attack Proxy is run every evening to ensure that industry standard security testing is being applied to the Onramp Invest tools. In-depth testing is conducted monthly and a complete Pen test is run every 6 months (or more often). Any significant findings are addressed within 1 release cycle (less than 2 weeks) but usually within hours of discovery.
Onramp Invest has a set of procedures that govern how Onramp Invest must process, handle, and store customer data. Protection of personal data is provided using physical, technical, and organizational security measures. Access to any stored data is limited to personnel and tools that operate under the least privilege policy. Data is only available to Onramp team members that have a need to access the data and have been trained to access that data in a secure manner. Any non-public information Onramp Invest may process, handle or store is encrypted at rest.
Security assessments are done to identify vulnerabilities and to determine the effectiveness of the patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for remediation.
Onramp Invest continually monitors all appropriate security patches and updates for its operating systems, applications and infrastructure to mitigate exposure to emerging vulnerabilities. Onramp applies patches as they are released by the corresponding vendors after they have been internally verified. There is an emergency process for urgent patches.
Secure Network Connections
All Onramp Invest application web traffic uses HTTPS encryption to provide secure communication. HTTPS ensures that data in transit is safe, secure, and available only to intended recipients.
Software Development Lifecycle
The Onramp Invest engineering team follows a defined process for developing secure software. Onramp Invest is deployed on an iterative, rapid release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. The OWASP Zed Attack Proxy is run every evening to ensure that industry standard security testing is being applied to the Onramp Invest tools.
Onramp Invest has a formalized incident response plan along with associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. The incident response team is responsible for processing all security incidents that include preparation, detection and analysis, containment, eradication, and recovery.
Business Continuity and Disaster Recovery
To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, Onramp Invest has implemented a business continuity process that will minimize the downtime due to a significant service interruption.