OneTrust’s commitment to trust begins and ends with privacy, security and compliance. We strive to not only comply and implement best practices, but to stay one step ahead, pioneering the future of privacy & security as technology continues to evolve.
You Trust Us For Your Compliance Program, Learn More About Ours
Privacy
As a global leader in privacy and data protection, our goal is to make our practices as transparent as possible and to give you control over your data. Privacy is at the core of what we do, which is why we are at the forefront of driving and adopting industry standards and best practices. Learn More
Security
Security is embedded throughout our organization, from our products to the people. We’ve put the controls and processes in place to safeguard your data, taking a risk-based approach and making continuous improvement a mandate. Learn More
Compliance
OneTrust provides highly resilient and secure cloud-based services to customers all over the world. The security of the infrastructure and data is a foundational requirement. This must be demonstrated consistently both to maintain customer trust and for regulatory and compliance reasons. OneTrust maintains accreditation with many common standards such as those shown.
Reliability
Deployed in the cloud or on-premises, our platform is designed to deliver stable solutions so our customers can scale with confidence. OneTrust’s SOC 2 report provides assurance that our team has designed an effective system of security, availability and confidentiality controls.
Practicing What We Preach
We strive to help our customers build world-class privacy programs, and therefore believe that we should hold ourselves to the same standards. We’ve demonstrated this by not only pursuing industry standard security certifications, but also by being the first organization in the world to achieve the ISO 27701 certification, the privacy extension to the popular ISO 27001 security standard.
Certifications
ISO/IEC 27001 Information Security Management System Certification
OneTrust’s Integrated Management System (IMS) has achieved and maintains ISO/IEC 27001:2013 certification for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. OneTrust’s certificate can be found here.
ISO/IEC 27701 Privacy Information Management System Certification
OneTrust LLC’s Integrated Management System (IMS) earned an ISO/IEC 27701:2019 (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines) certification, which can be found here. OneTrust was the first organization in the world to achieve this new certification, which provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System.
SOC 2 Type II Report Security Controls
OneTrust annually executes and completes a SOC 2 for Service Organizations: Trust Services Criteria (i.e., a SOC 2 Type II Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy). The independent CPA firm, Coalfire Controls, LLC has issued the SOC 2 Report and included an unqualified (clean) opinion on the design of the Company’s controls relative to the Security, Availability, and Confidentiality Trust Services Principle and Criteria. The SOC 2 report provides assurance to OneTrust and its customers that the OneTrust has designed an effective system of security, availability, and confidentiality controls. OneTrust’s SOC 2 Type II Report also includes a mapping of security, availability, and confidentiality trust services criteria to ISO 27001:2013 and to applicable requirements of the European Union’s General Data Protection Regulation (GDPR). OneTrust is happy to provide a copy of the SOC 2 Type II Report upon request under NDA.
PCI DSS
OneTrust has been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1. As a Service Provider, OneTrust provides an application solution to aid customers with Privacy, Security, and Data Governance to meet privacy management, third-party risk monitoring, GRC functions, and data governance for various information security standards. Customers upload their data, (which may contain elements of cardholder data), from their devices to the OneTrust application platform.
Options for EU Customers In Light of "Schrems II" Decision
On July 16, 2020 the Court of Justice of the European Union invalidated EU-US Privacy Shield as a data transfer mechanism between the EU and US. Since then, additional guidance on supplementary measures for international data transfers has been released by the European Data Protection Board, and updated draft Standard Contractual Clauses by the European Commission. OneTrust is dedicated to offering our customers flexible options that meet their unique business needs along with their interpretation of these new guidelines, and therefore offers the following options to our customers:
HOST ON-PREMISES IN COUNTRY OF YOUR CHOICE
Customers can choose to host OneTrust fully on-premises in their data center or in a private cloud, local to a country of their choice and under their control.
STANDARD CONTRACTUAL CLAUSE BASED SOLUTION - MULTI-TENANT SAAS
Customers can leverage a multi-tenant SaaS instance of OneTrust deployed in any of our 10 data centers, including Germany, France or Switzerland, with limited data transfers. These data transfers will be based on the updated SCCs from the European Commission as well as European Data Protection Board recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
SAAS HOSTED WITH BRING YOUR OWN KEY (BYOK) ENCRYPTION
Customers can host in our cloud environments while maintaining full control to create, disable, and revoke access to their encryption keys, preventing OneTrust or any entity from having the ability to decrypt customer data.
OneTrust is committed to transparency in its privacy practices. We will continue to provide our policy for government and law enforcement requests for customer data and a publish Transparency Report that documents the number of requests received and how we responded to them. You can view this report at the link below
Going Cloud? Choose From 10 Global Data Centers
AUSTRALIA | BRAZIL | CANADA | FRANCE | GERMANY | INDIA | UNITED KINGDOM | UNITED STATES | SINGAPORE | SWITZERLAND
*Cloud hosting provided by Microsoft Azure
OneTrust registered with the Cloud Security Alliance, please follow this link for further information.
View