Enterprise Security Stack in OnSync: SSO, RBAC, Audit Trails & Regional Data Controls

Security Posture at a Glance

Security readiness

Independent audits & controls

Identity Options

SSO + SCIM

Encryption

AES-256 + TLS 1.3

Regions

US, EU, APAC

Beyond WhatsApp, Instagram, Facebook, and Telegram connectivity, OnSync delivers an enterprise control plane that regulators and internal security teams expect—without requiring additional middleware.

Identity & Access Control

SSO + MFA Everywhere

SAML connections for Okta, Azure AD, Google Workspace, and custom IdPs.
SCIM provisioning automatically syncs onboarding/offboarding with HRIS events.
Mandatory MFA (TOTP, WebAuthn, or IdP-enforced) before channel credentials are accessible.

Granular RBAC

Role templates for agents, reviewers, finance approvers, and developers.
Queue-level permissions restrict who can view exports, macros, or automation builders.
Just-in-time elevated access with approvals, auto-expiring after the task completes.

Data Protection & Encryption

At Rest

Customer content, attachments, and AI embeddings sit in encrypted stores (AES-256) with customer-specific keys rotated via AWS KMS. Access requires quorum approval and is fully logged.

Backups remain encrypted, versioned, and geographically separated for disaster recovery guarantees (< 15 minute RPO, 1 hour RTO).

In Transit

TLS 1.3 protects traffic between agents, APIs, and channel partners. Mutual TLS is enforced for enterprise webhooks.

Optional per-message end-to-end encryption modules satisfy healthcare customers needing double-wrapped payloads before they leave internal networks.

Audit Trails & Compliance Evidence

Immutable Logs

Every user action—login, template edit, export, AI response acceptance—is captured with timestamp, IP, device, and conversation reference. Logs retain for 24+ months by default (longer for finance customers).

Stream logs into your SIEM (Splunk, Datadog, Sumo) in real time.

Regulatory Toolkits

GDPR: Data subject export & delete APIs, EU-hosted infrastructure, and consent tracking.
HIPAA: BAA availability, access controls for PHI, and intrusion monitoring.
PCI & audit readiness: Quarterly penetration tests, vulnerability scans, and secure SDLC documentation.

Regional Data Residency

Choose the geography where your conversation data is stored. Regional shards eliminate cross-border transfers unless you opt in to global search indexes.

United States

AWS us-east-1/us-west-2 with FedRAMP-ready options.

European Union

AWS eu-central-1 with Schrems II compliant safeguards and EU-only support staff.

Asia Pacific

AWS ap-southeast-1 with data localization for Singapore + ANZ enterprises.

Incident Response & Monitoring

Response Plan

24/7 security team monitors alerts, performs war-room drills quarterly, and commits to sub-24-hour customer notification SLAs for confirmed incidents.

Clients receive a full postmortem with remediation steps and log exports.

Continuous Monitoring

Runtime protections (AWS GuardDuty, Datadog runtime) flag anomalies in seconds.
Weekly vulnerability scans with automated ticketing to engineering owners.
Annual third-party penetration tests and customer-observed tabletop exercises.

Security Evaluation Checklist

Use this list when comparing OnSync with legacy inboxes or point solutions.

Does the vendor support SSO, SCIM, and enforced MFA?
Are audit logs exportable in real time to your SIEM?
Can data residency be guaranteed at rest and backup layers?
Is there a dedicated security contact and incident SLA?
Are penetration test summaries and independent audit reports available under NDA?

Security Posture at a Glance

Security readiness

Independent audits & controls

Identity Options

SSO + SCIM

Encryption

AES-256 + TLS 1.3

Regions

US, EU, APAC

Identity & Access Control

SSO + MFA Everywhere

SAML connections for Okta, Azure AD, Google Workspace, and custom IdPs.
SCIM provisioning automatically syncs onboarding/offboarding with HRIS events.
Mandatory MFA (TOTP, WebAuthn, or IdP-enforced) before channel credentials are accessible.

Granular RBAC

Role templates for agents, reviewers, finance approvers, and developers.
Queue-level permissions restrict who can view exports, macros, or automation builders.
Just-in-time elevated access with approvals, auto-expiring after the task completes.

Data Protection & Encryption

At Rest

Customer content, attachments, and AI embeddings sit in encrypted stores (AES-256) with customer-specific keys rotated via AWS KMS. Access requires quorum approval and is fully logged.

Backups remain encrypted, versioned, and geographically separated for disaster recovery guarantees (< 15 minute RPO, 1 hour RTO).

In Transit

TLS 1.3 protects traffic between agents, APIs, and channel partners. Mutual TLS is enforced for enterprise webhooks.

Optional per-message end-to-end encryption modules satisfy healthcare customers needing double-wrapped payloads before they leave internal networks.

Audit Trails & Compliance Evidence

Immutable Logs

Stream logs into your SIEM (Splunk, Datadog, Sumo) in real time.

Regulatory Toolkits

GDPR: Data subject export & delete APIs, EU-hosted infrastructure, and consent tracking.
HIPAA: BAA availability, access controls for PHI, and intrusion monitoring.
PCI & audit readiness: Quarterly penetration tests, vulnerability scans, and secure SDLC documentation.

Regional Data Residency

Choose the geography where your conversation data is stored. Regional shards eliminate cross-border transfers unless you opt in to global search indexes.

United States

AWS us-east-1/us-west-2 with FedRAMP-ready options.

European Union

AWS eu-central-1 with Schrems II compliant safeguards and EU-only support staff.

Asia Pacific

AWS ap-southeast-1 with data localization for Singapore + ANZ enterprises.

Incident Response & Monitoring

Response Plan

24/7 security team monitors alerts, performs war-room drills quarterly, and commits to sub-24-hour customer notification SLAs for confirmed incidents.

Clients receive a full postmortem with remediation steps and log exports.

Continuous Monitoring

Runtime protections (AWS GuardDuty, Datadog runtime) flag anomalies in seconds.
Weekly vulnerability scans with automated ticketing to engineering owners.
Annual third-party penetration tests and customer-observed tabletop exercises.

Security Evaluation Checklist

Use this list when comparing OnSync with legacy inboxes or point solutions.

Does the vendor support SSO, SCIM, and enforced MFA?

Are audit logs exportable in real time to your SIEM?

Can data residency be guaranteed at rest and backup layers?

Is there a dedicated security contact and incident SLA?

Are penetration test summaries and independent audit reports available under NDA?

Quick Answer

Key Points

Enterprise Security Stack in OnSync: SSO, RBAC, Audit Trails & Regional Data Controls

Security Posture at a Glance

Identity & Access Control

SSO + MFA Everywhere

Granular RBAC

Data Protection & Encryption

At Rest

In Transit

Audit Trails & Compliance Evidence

Immutable Logs

Regulatory Toolkits

Regional Data Residency

United States

European Union

Asia Pacific

Incident Response & Monitoring

Response Plan

Continuous Monitoring

Security Evaluation Checklist

Ready to Get Started?

Quick Answer

Key Points

Enterprise Security Stack in OnSync: SSO, RBAC, Audit Trails & Regional Data Controls

Security Posture at a Glance

Identity & Access Control

SSO + MFA Everywhere

Granular RBAC

Data Protection & Encryption

At Rest

In Transit

Audit Trails & Compliance Evidence

Immutable Logs

Regulatory Toolkits

Regional Data Residency

United States

European Union

Asia Pacific

Incident Response & Monitoring

Response Plan

Continuous Monitoring

Security Evaluation Checklist

Ready to Get Started?