Skip to main content
Skip to main content
O
OneAce
Get started free
Security details · for your CISO & their questionnaire

The long version.

Trust center has the summary. This page is the long form — controls, architecture, runbooks. Most enterprise security questionnaires can be answered from here.

Contact security teamStatus page

1 · Foundation

Hosting & architecture

OneAce runs on managed cloud infrastructure (Vercel for the application tier, Neon-managed Postgres for the data tier). EU customers are pinned to EU-region database deployments; multi-region failover is available on Enterprise hosting.

  • VPC isolation, no public-facing databases, egress restricted at the platform layer
  • Edge WAF + DDoS protection in front of every public surface
  • Strict Content-Security-Policy with frame-ancestors 'none' on every response
  • Postgres row-level security tying every row to a tenant_id (CW6.x rollout — 30+ tables FORCE-enforced)
Tenant isolation. One database, one schema, with row-level security policies enforced at the database layer (not application). Penetration testers have specifically targeted tenancy escapes — report available under NDA.

2 · Cryptography

Encryption

Symmetric encryption everywhere data is at rest; TLS 1.3 everywhere data is in transit.

SurfaceAlgorithmKey management
At rest · databaseAES-256 (managed Postgres)Provider-managed KMS; customer-managed keys on Enterprise
At rest · object storeAES-256Provider-managed KMS, rotated on a defined cadence
At rest · backupsAES-256Separate key, separate region
In transit · publicTLS 1.3 (1.2 fallback)Edge-managed certificates
In transit · internalTLS 1.3Mutual TLS between trusted services
Field-level (sensitive PII)AES-256-GCMEnvelope encryption with rotated DEKs

3 · Authorization

Access controls

Internal (OneAce employees)

  • SSO with mandatory 2FA on every internal system
  • Customer-data access requires a ticket with stated reason; time-limited and reviewed
  • Production write access limited to a named on-call rotation, audited periodically
  • Quarterly access review

Customer (your team)

  • Capability-based authorization: every gated action runs through requireCapability; roles are presentation, capabilities are the gate
  • Field-level redaction available for sensitive columns on Enterprise
  • API tokens are scoped, revocable, and never logged in plain text
  • 2FA (TOTP) available on every plan; enforceable on Pro and above

4 · Identity

Identity & SSO

Email + password + 2FA ships everywhere today. SAML / OIDC / SCIM are Enterprise add-ons; contact us for current readiness and rollout timing.

CapabilityFreeProEnterprise
Email + password + 2FA (TOTP)YesYesYes
Magic linkYesYesYes
Google / Microsoft OAuthYesYesYes
SAML 2.0RoadmapOn request
OIDCRoadmapOn request
SCIM 2.0 provisioningOn request
Mandatory 2FA enforcementYesYes
IP allowlistOn request
Session timeout policyYesYes

5 · Engineering

Secure SDLC

Every code change goes through PR review, automated static analysis, dependency audit, a unit + integration test gate, and a staging canary before production.

  • Trunk-based development with branch protection; required CI: Lint (Biome) + Typecheck + Vitest + Prisma Validate + Prisma Migrations
  • Feature flags for risky changes; pinned static tests for security-sensitive contracts (CSP, RLS smoke, KVKK/GDPR token paths)
  • Security-sensitive paths (auth, billing, multi-tenant boundaries) require a second senior reviewer
  • Threat modeling alongside feature design, owned by the engineer shipping the change

6 · Vulnerabilities

Vulnerability management

SLAs counted from confirmation, not disclosure.

SeverityPatch SLANotification
Critical (CVSS 9–10)24 hoursStatus page + email within 4h of confirmation
High (CVSS 7–8.9)7 daysStatus page within 24h
Medium (CVSS 4–6.9)30 daysQuarterly summary
Low (CVSS 0–3.9)90 daysQuarterly summary

OneAce engages independent third-party penetration testers on a recurring cadence. The most recent report (executive summary + remediation status) is available under NDA on request — email security@oneace.app.

7 · Resilience

Business continuity

Recovery targets are documented in the disaster-recovery runbook (available under NDA) and exercised on a defined cadence.

  • RPO target. Streaming replication to a standby; replication lag monitored continuously
  • RTO target. Documented and exercised; drill outcomes shared with Enterprise customers
  • Daily encrypted backups with a retention policy; restore validation on a defined cadence
  • Cron jobs idempotent via the CronRun ledger — retries are a no-op
  • Live infrastructure health on the status page

8 · On-call

Incident response

  • Detection: Sentry telemetry + Vercel monitoring + customer reports
  • Response chain: on-call engineer → security lead (P1+) → engineering lead (P0)
  • Public status updates within 15 minutes of detection
  • Customer email within 4 hours for confirmed data-impact incidents
  • Postmortem published for every P1+ incident
History. Incident history is published on the status page. We do not maintain a separate redacted incident count outside that surface.

9 · Privacy

Privacy & data rights

  • GDPR & UK GDPR. Article 28 DPA available on request. EU customer data stays in EU.
  • KVKK (TR). See our KVKK notice and DSAR process.
  • CCPA / CPRA. DSARs honored within 30 days; self-service in Settings → Account.
  • Data deletion. User-delete cascades inventory data in the same transaction; certified on request.
  • Data export. Self-service CSV/JSON export of every record we hold for you.
  • Sub-processor list. Published with advance notice on changes.
  • Telemetry hygiene. Analytics events scrubbed by a PII denylist (email, phone, tokens never logged).
  • Accessibility. We target WCAG 2.1 AA; conformance statement maintained alongside the product.

10 · Disclosure

Responsible disclosure

OneAce runs an invite-only bounty program. Production scope only; out of scope: marketing site, third-party SaaS, social engineering of staff, physical attacks.

To report a vulnerability or request a bounty invitation, email security@oneace.app. We acknowledge receipt within 1 business day and triage within 5. Reward bands are published to invited researchers; please do not publish details before we confirm a fix is live.

Compliance posture

SOC 2 Type II. In progress. Report shared under NDA when available.

ISO 27001. On the roadmap. Controls mapped against the Annex A reference.

GDPR / UK GDPR / KVKK. Operationally enforced today (DPA, EU pinning, DSAR self-service).

WCAG 2.1 AA. Conformance statement maintained alongside the product.

Request our security package

Cookie preferences

We use essential cookies to make this site work, plus optional cookies for preferences and analytics. You can change your choice anytime via the privacy policy. Read our privacy policy.