How we secure ONTRACE itself.
An ISMS platform that doesn't secure its own infrastructure isn't an ISMS platform — it's a liability. Here's how ONTRACE.AI secures the platform you trust with your security management data.
Security Controls
Security across every layer.
ONTRACE.AI applies security controls at the infrastructure, data, access, and operational layers — the same defence-in-depth approach we help customers implement for their own ISMS.
Infrastructure Security
The ONTRACE.AI platform is deployed on enterprise-grade cloud infrastructure with security hardening applied at every layer.
Data Handling & Storage
Customer data is treated as the most sensitive asset in our environment, with controls designed to exceed the standards we help customers implement.
Access Controls
Access to ONTRACE.AI production systems follows the principle of least privilege with multi-factor authentication required at every access point.
Monitoring & Detection
Continuous monitoring across the ONTRACE.AI environment provides real-time visibility into security events and anomalies.
Incident Response
Documented incident response procedures are tested regularly and include defined escalation paths, customer notification obligations, and post-incident review.
Change Management
All changes to the ONTRACE.AI platform undergo a structured review process to prevent unauthorized or error-prone modifications.
Third-Party & Supply Chain
We manage our supply chain risk rigorously.
As an ISMS platform, we take our own third-party risk obligations seriously. All sub-processors and critical suppliers are assessed before onboarding and reviewed periodically.
Security Testing
We test our security — not just assert it.
Documented security controls are only as good as their last test. ONTRACE.AI maintains a regular testing programme to validate that controls work as designed.
By independent external assessors
Automated scanning of all production components
Tabletop and simulation exercises
All production and administrative access reviewed
Responsible Disclosure
Found a vulnerability? We want to hear from you.
If you believe you've found a security vulnerability in ONTRACE.AI, please report it responsibly. We are committed to working with the security research community to protect our customers.
Report
Submit your finding to our security team via the contact form. Include as much detail as possible — steps to reproduce, impact assessment, and any supporting artefacts.
Acknowledge
We will acknowledge receipt of your report within 3 business days and assign it an internal tracking reference.
Triage
Our security team will triage the finding, assess severity and impact, and communicate a preliminary assessment to you within 10 business days.
Remediate
We will work to address confirmed vulnerabilities with timescales aligned to severity. Critical findings receive immediate attention.
Disclose
We coordinate disclosure timing with reporters. We are committed to responsible disclosure and will not pursue legal action against good-faith reporters.
Scope & Guidelines
Security Assurance
What you can request from our security team.
Security Questionnaire
Comprehensive answers to standard security questionnaires (SIG, VSAQ, custom).
Data Processing Agreement
GDPR-aligned DPA with details on sub-processors and data handling obligations.
Penetration Test Summary
Executive summary of most recent third-party penetration test findings and remediation status.
Security Review Call
Live conversation with our security team for enterprise procurement and due diligence processes.
Security Contact
Questions about our security practices?
Enterprise security teams, procurement teams, and security researchers are welcome to contact us directly. We aim to respond to security enquiries within 3 business days.