SECURITY
Security FAQ
Is Ox SOC 2 certified?
Ox is proud to maintain a SOC 2 Type II certification. We are able to provide a complete SOC 2 Type II Report and/or Letter of Attestation upon request. Compliance is monitored through Vanta.
How does Ox classify its data?
Data Classification
To help Ox and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.
Confidential
Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Example include: Customer Data Personally identifiable information (PII) Company financial and banking data Salary, compensation and payroll information Strategic plans Incident reports Risk assessment reports Technical vulnerability reports Authentication credentials Secrets and private keys Source code Litigation data
Restricted
Ox. proprietary information requiring thorough protection; access is restricted to employees with a "need-to-know" based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include: Internal policies Legal documents Meeting minutes and internal presentations Contracts Internal reports Slack messages Email
Public
Documents intended for public consumption which can be freely distributed outside Ox. Examples include: Marketing materials Product descriptions Release notes External facing policies
How can I access my data?
Please submit a request through security@getox.com.
Does Ox assess the security and privacy practices of all third-party companies with access to customer data?
Ox is committed to keeping our customers' data safe and secure, and we want to make sure that our partners and vendors do, too. We request and review SOC 2 type II reports from vendors which store or access customer data.
How do you handle data, application, infrastructure security?
Data
Ox encrypts all data in transit and at rest. Access to production data must be approved by management and is reviewed regularly.
Application
Annual penetration testing and remediation practices are conducted to identify and remove vulnerabilities.
Infrastructure
Vulnerability scans are performed continuously and findings are patched in accordance with their severity levels. Network and system hardening standards are maintained and implemented. Intrusion detection systems are utilized.
For more questions, please contact security@getox.com.