ONEPROOF

Mobile Driver's License Security Information

Disclaimer for the download/accept screen of the App:  By installing or using Oneproof Verification Applications, you are agreeing to the terms of our current Privacy Policy, Terms of Use, Cookie Policy, and Acceptable Use Policy. We encourage you to read, revisit, and use these documents to help you make informed decisions.

Effective as of September 15, 2024.

ONEPROOF INC

Security Information for ONEPROOF Mobile Drivers License/ID Verification Applications

This Security Information document applies to the Oneproof INC  ("ONEPROOF") Mobile Drivers License/ID Verify mobile, web services and, web-based and cloud-hosted commercial product applications (the "Services") and outlines our comprehensive security framework, measures, and commitment to protecting customer data and systems. ONEPROOF is dedicated to maintaining the highest standards of security and data protection for all users and stakeholders.

Security is fundamental to our identity verification services. We implement multi-layered security controls, follow industry best practices, and maintain continuous monitoring to protect against evolving threats while ensuring service reliability and integrity.

1. Security Framework and Governance

ONEPROOF's security program is built on industry-recognized frameworks and standards:

  • NIST Cybersecurity Framework: Implementation of Identify, Protect, Detect, Respond, and Recover functions

  • ISO 27001 Standards: Information Security Management System (ISMS) aligned with international best practices

  • SOC 2 Type II Compliance: Regular third-party audits of security, availability, and confidentiality controls

  • OWASP Security Guidelines: Web application security based on Open Web Application Security Project recommendations

2. Data Protection and Encryption

ONEPROOF employs comprehensive encryption and data protection measures:

2.1 Data Encryption

  • Data at Rest: AES-256 encryption for all stored data, including databases, file systems, and backup storage

  • Data in Transit: TLS 1.3 encryption for all data transmission between clients and servers

  • Database Encryption: Transparent Data Encryption (TDE) and field-level encryption for sensitive data elements

  • Key Management: Hardware Security Modules (HSMs) and automated key rotation policies

2.2 Data Classification and Handling

  • Data Classification: Systematic classification of data based on sensitivity and regulatory requirements

  • Data Minimization: Collection and processing limited to necessary data for service functionality

  • Data Masking: Dynamic data masking for non-production environments and development activities

  • Secure Data Disposal: Cryptographic erasure and physical destruction of decommissioned storage media

3. Infrastructure Security

Our infrastructure security includes multiple layers of protection:

3.1 Cloud Security

  • Secure Cloud Architecture: Multi-region deployment with redundancy and disaster recovery capabilities

  • Virtual Private Clouds (VPCs): Isolated network environments with controlled access points

  • Container Security: Secure container orchestration with runtime protection and vulnerability scanning

  • Infrastructure as Code: Automated, auditable infrastructure deployment and configuration management

3.2 Network Security

  • Network Segmentation: Microsegmentation and zero-trust network architecture principles

  • Firewalls and WAF: Next-generation firewalls and Web Application Firewalls with DDoS protection

  • Intrusion Detection: Real-time network monitoring and automated threat response systems

  • VPN and Secure Access: Multi-factor authenticated VPN access for administrative functions

4. Application Security

ONEPROOF implements comprehensive application security measures:

  • Secure Development Lifecycle (SDLC): Security integrated throughout the development process from design to deployment

  • Code Security: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and dependency scanning

  • API Security: OAuth 2.0, API rate limiting, input validation, and comprehensive API security testing

  • Mobile App Security: Certificate pinning, anti-tampering measures, and secure storage implementation

  • Regular Security Testing: Quarterly penetration testing and vulnerability assessments by third-party security firms

5. Identity and Access Management

Robust identity and access controls protect system resources:

  • Multi-Factor Authentication (MFA): Required for all administrative and user accounts accessing sensitive systems

  • Role-Based Access Control (RBAC): Granular permissions based on job function and principle of least privilege

  • Privileged Access Management: Just-in-time access, session recording, and automated privilege revocation

  • Single Sign-On (SSO): Centralized authentication with enterprise identity providers and session management

  • Access Reviews: Quarterly access certification and automated deprovisioning processes

6. Monitoring and Incident Response

Continuous monitoring and rapid incident response capabilities:

6.1 Security Monitoring

  • 24/7 Security Operations Center (SOC): Continuous monitoring and threat detection with security analysts

  • SIEM Integration: Security Information and Event Management system for real-time analysis and correlation

  • Threat Intelligence: Integration with global threat intelligence feeds and automated threat hunting

  • Anomaly Detection: Machine learning-based behavioral analysis and automated alerting

6.2 Incident Response

  • Incident Response Plan: Documented procedures for incident classification, escalation, and resolution

  • Response Team: Dedicated incident response team with defined roles and responsibilities

  • Communication Protocols: Stakeholder notification procedures and regulatory reporting requirements

  • Forensic Capabilities: Digital forensics tools and procedures for incident investigation and evidence preservation

7. Business Continuity and Disaster Recovery

Comprehensive business continuity planning ensures service availability:

  • Disaster Recovery Plan: Documented procedures for system recovery with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

  • Geographic Redundancy: Multi-region data replication and failover capabilities

  • Backup Systems: Automated, encrypted backups with regular restoration testing

  • High Availability: 99.9% uptime SLA with load balancing and auto-scaling capabilities

8. Compliance and Certifications

ONEPROOF maintains compliance with multiple regulatory and industry standards:

  • Privacy Regulations: GDPR, CCPA, PIPEDA, and other applicable privacy laws

  • Industry Standards: PCI DSS for payment data, HIPAA for healthcare data, FERPA for educational records

  • Government Compliance: FedRAMP, FISMA, and other federal security requirements for government customers

  • International Standards: ISO 27001, SOC 2 Type II, and regional security certifications

9. Employee Security and Training

Human factors are critical to our security posture:

  • Background Checks: Comprehensive background screening for all employees with access to sensitive systems

  • Security Training: Mandatory annual security awareness training and role-specific security education

  • Clean Desk Policy: Physical security measures for office environments and remote work guidelines

  • Confidentiality Agreements: Comprehensive NDAs and security acknowledgment requirements

10. Third-Party Security

Vendor and partner security management:

  • Vendor Risk Assessment: Comprehensive security evaluation of all third-party vendors and service providers

  • Contractual Security Requirements: Security clauses and audit rights in all vendor agreements

  • Supply Chain Security: Verification of security controls throughout the technology supply chain

  • Regular Audits: Periodic security assessments of critical vendors and service providers

11. Vulnerability Management

Proactive identification and remediation of security vulnerabilities:

  • Vulnerability Scanning: Automated weekly scans of all systems and applications

  • Patch Management: Automated patch deployment with emergency patching procedures for critical vulnerabilities

  • Bug Bounty Program: Responsible disclosure program with security researchers and ethical hackers

  • Risk Assessment: Regular risk assessments and security posture evaluations

12. How to Contact Us

Security-related questions, concerns, or incident reports should be directed to:

  • Security Team: security@oneproof.com

  • Vulnerability Reports: security@oneproof.com

  • General Inquiries: privacy@oneproof.com

  • Emergency Security Incidents: Call our 24/7 incident response hotline (contact information provided to customers)

13. Updates to Security Information

ONEPROOF regularly updates our security measures and will update this Security Information document as needed. The latest version can be found at Security Information | ONEPROOF. We encourage users to review this information regularly to stay informed about our security practices and commitments.