Enterprise Security Stack in OnSync: SSO, RBAC, Audit Trails & Regional Data Controls

Data Protection & Encryption

Customer content, attachments, and AI embeddings sit in encrypted stores (AES-256) with customer-specific keys rotated via AWS KMS. Access requires quorum approval and is fully logged.

Backups remain encrypted, versioned, and geographically separated for disaster recovery guarantees (< 15 minute RPO, 1 hour RTO).

In Transit

TLS 1.3 protects traffic between agents, APIs, and channel partners. Mutual TLS is enforced for enterprise webhooks.

Optional per-message end-to-end encryption modules satisfy healthcare customers needing double-wrapped payloads before they leave internal networks.

Audit Trails & Compliance Evidence

Immutable Logs

Every user action—login, template edit, export, AI response acceptance—is captured with timestamp, IP, device, and conversation reference. Logs retain for 24+ months by default (longer for finance customers).

Stream logs into your SIEM (Splunk, Datadog, Sumo) in real time.

Regulatory Toolkits

• GDPR: Data subject export & delete APIs, EU-hosted infrastructure, and consent tracking.
• HIPAA: BAA availability, access controls for PHI, and intrusion monitoring.
• PCI & audit readiness: Quarterly penetration tests, vulnerability scans, and secure SDLC documentation.

Regional Data Residency

Choose the geography where your conversation data is stored. Regional shards eliminate cross-border transfers unless you opt in to global search indexes.

United States

AWS us-east-1/us-west-2 with FedRAMP-ready options.

European Union

AWS eu-central-1 with Schrems II compliant safeguards and EU-only support staff.

Asia Pacific

AWS ap-southeast-1 with data localization for Singapore + ANZ enterprises.

Incident Response & Monitoring

Response Plan

24/7 security team monitors alerts, performs war-room drills quarterly, and commits to sub-24-hour customer notification SLAs for confirmed incidents.

Clients receive a full postmortem with remediation steps and log exports.

Continuous Monitoring

• Runtime protections (AWS GuardDuty, Datadog runtime) flag anomalies in seconds.
• Weekly vulnerability scans with automated ticketing to engineering owners.
• Annual third-party penetration tests and customer-observed tabletop exercises.

Security Evaluation Checklist

Use this list when comparing OnSync with legacy inboxes or point solutions.

• Does the vendor support SSO, SCIM, and enforced MFA?
• Are audit logs exportable in real time to your SIEM?
• Can data residency be guaranteed at rest and backup layers?
• Is there a dedicated security contact and incident SLA?
• Are penetration test summaries and independent audit reports available under NDA?