Security and privacy at Ozaru

Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own.

Enterprise security

Endpoint protection

All corporate devices are centrally managed and come equipped with mobile device management (MDM) software and anti-malware protection. Endpoint security alerts are monitored around the clock, every day of the year. We use MDM software to enforce secure settings on devices, such as disk encryption, screen lock, and software updates.

Vendor security

Ozaru applies a risk-based approach to managing vendor security. Factors that influence a vendor’s inherent risk rating include: Access to customer and corporate data, Integration with production environments, Potential reputational impact on Ozaru

Once the inherent risk rating is established, the vendor’s security is assessed to determine residual risk and to make an approval decision.

Secure remote access

Ozaru secures remote access to internal resources with Tailscale, a modern VPN platform built on WireGuard. Additionally, we use malware-blocking DNS servers to protect employees and their devices while they browse the web.

Security education

Ozaru offers thorough security training to all employees at the time of onboarding and annually, using educational modules on Ozaru’s platform. Additionally, all new hires attend a live onboarding session focused on essential security principles. New engineers also attend a mandatory session on secure coding practices.

Ozaru’s security team regularly provides employees with threat briefings to keep them informed of important security-related updates that require attention or action.

Identity and access management

Ozaru uses Okta for identity and access management, enforcing phishing-resistant authentication methods and using WebAuthn wherever feasible.

Employees are granted application access based on their role, and their access is revoked automatically upon leaving the company. Any additional access requires approval according to the policies in place for each application.

Data protection

Data at rest

All customer data repositories, including S3 buckets, are encrypted while at rest. Sensitive collections and tables are further protected with row-level encryption.

This ensures that data is encrypted before entering the database, making physical or logical access insufficient to access the most sensitive information.

Data in transit

Ozaru employs TLS 1.2 or higher for all data transmission over potentially unsecured networks. We also leverage security features like HSTS (HTTP Strict Transport Security) to enhance the protection of data in transit. Server TLS certificates and keys are managed by AWS and deployed through Application Load Balancers.

Secret management

Encryption keys are managed using AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), preventing direct access by any individuals, including employees at Amazon and Ozaru. The keys in HSMs are used for encryption and decryption through Amazon’s KMS APIs.

Application secrets are encrypted and securely stored using AWS Secrets Manager and Parameter Store, with strictly limited access to these values.

Data privacy

At Ozaru, protecting data privacy is a top priority—we aim to responsibly safeguard all sensitive information.

Privacy Shield

Ozaru holds an active membership with Privacy Shield.

Regulatory compliance

Ozaru continuously monitors updates to regulatory and emerging frameworks to ensure our program remains current.

Privacy Policy and DPA

See Ozaru’s Privacy Policy
View our list of subprocessors
Access our DPA

Our policies are grounded in the following key principles

Access should only be given to individuals with a valid business need, following the least privilege principle.

Security measures should be layered and applied according to the defense-in-depth strategy.

Security measures must be consistently enforced throughout the entire organization.

The implementation of controls should evolve continuously, focusing on enhanced effectiveness, greater auditability, and reduced friction.

Product security

Vulnerability scanning

Ozaru conducts vulnerability scans at critical points in our Secure Development Lifecycle (SDLC):

Static analysis (SAST) of code during pull requests and on a regular basis
Software composition analysis (SCA) to detect known vulnerabilities in our software supply chain
Malicious dependency scanning to prevent malware from entering our software supply chain
Dynamic analysis (DAST) of running applications
Network vulnerability scanning at regular intervals
Continuous external attack surface management (EASM) to detect new externally-facing assets

Penetration testing

Ozaru collaborates with top-tier penetration testing firms in the industry at least once a year. Our current go-to partner for penetration testing is Doyensec, a leader in GraphQL security.

All aspects of Ozaru’s product and cloud infrastructure are assessed, with full access to the source code provided to the testers to ensure maximum thoroughness and effectiveness.

Security and privacy at Ozaru

Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own.

Enterprise security

Ozaru applies a risk-based approach to managing vendor security. Factors that influence a vendor’s inherent risk rating include: Access to customer and corporate data, Integration with production environments, Potential reputational impact on Ozaru

Once the inherent risk rating is established, the vendor’s security is assessed to determine residual risk and to make an approval decision.

Ozaru secures remote access to internal resources with Tailscale, a modern VPN platform built on WireGuard. Additionally, we use malware-blocking DNS servers to protect employees and their devices while they browse the web.

Ozaru’s security team regularly provides employees with threat briefings to keep them informed of important security-related updates that require attention or action.

Ozaru uses Okta for identity and access management, enforcing phishing-resistant authentication methods and using WebAuthn wherever feasible.

Employees are granted application access based on their role, and their access is revoked automatically upon leaving the company. Any additional access requires approval according to the policies in place for each application.

Data protection

All customer data repositories, including S3 buckets, are encrypted while at rest. Sensitive collections and tables are further protected with row-level encryption.

This ensures that data is encrypted before entering the database, making physical or logical access insufficient to access the most sensitive information.

Encryption keys are managed using AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), preventing direct access by any individuals, including employees at Amazon and Ozaru. The keys in HSMs are used for encryption and decryption through Amazon’s KMS APIs.

Application secrets are encrypted and securely stored using AWS Secrets Manager and Parameter Store, with strictly limited access to these values.

Data privacy

At Ozaru, protecting data privacy is a top priority—we aim to responsibly safeguard all sensitive information.

Ozaru holds an active membership with Privacy Shield.

Ozaru continuously monitors updates to regulatory and emerging frameworks to ensure our program remains current.

See Ozaru’s Privacy PolicyView our list of subprocessorsAccess our DPA

Our policies are grounded in the following key principles

Access should only be given to individuals with a valid business need, following the least privilege principle.

Security measures should be layered and applied according to the defense-in-depth strategy.

Security measures must be consistently enforced throughout the entire organization.

The implementation of controls should evolve continuously, focusing on enhanced effectiveness, greater auditability, and reduced friction.

Product security

Vulnerability scanning

Ozaru conducts vulnerability scans at critical points in our Secure Development Lifecycle (SDLC):

Static analysis (SAST) of code during pull requests and on a regular basis

Software composition analysis (SCA) to detect known vulnerabilities in our software supply chain

Malicious dependency scanning to prevent malware from entering our software supply chain

Dynamic analysis (DAST) of running applications

Network vulnerability scanning at regular intervals

Continuous external attack surface management (EASM) to detect new externally-facing assets

Penetration testing

Ozaru collaborates with top-tier penetration testing firms in the industry at least once a year. Our current go-to partner for penetration testing is Doyensec, a leader in GraphQL security.

All aspects of Ozaru’s product and cloud infrastructure are assessed, with full access to the source code provided to the testers to ensure maximum thoroughness and effectiveness.

Summary reports from these penetration tests are made available in our Trust Center.

See Ozaru’s Privacy Policy
View our list of subprocessors
Access our DPA