Approach to Security
We continuously review industry-leading security standards and select the most applicable principles to provide the maximum protection for our clients. Some of the principles that we’ve implemented are role-based access control (RBAC), principle of least privilege (PoLP), defense in depth (DiD) and zero trust architecture.
Following role-based access control, we conduct comprehensive employee security training and ensure that all Othis employees are provided access to only the systems that they need to do their jobs. In addition, we follow the principle of least privilege to determine and grant each employee the minimum necessary permissions to each tool. For example, only senior technical staff have full access to the infrastructure that runs our services. The remaining technical staff have access to a “development” set of infrastructure that has no connection to the “live” set. A second example may be for our internal customer service system – only employees who perform customer service tasks have access to this system.
To add another layer of safety, we use defense in depth to protect the systems containing client data at multiple levels. As an example, we may store a document in a document vault. DiD means providing several layers of protection – (i) The document is encrypted. (ii) The encryption keys are regularly rotated. (iii) The document store is blocked from being accessed from the internet. (iv) A security policy is in place to restrict access to the document to our internal back-end application. (v) A further security policy states that only requests from a logged-in user can request access to the document.
We also employ continuous monitoring to detect and respond to threats and vulnerabilities. All requests (internal and external) are logged, and threat detection systems can respond in real time and alert us.
The source-code for software is continually scanned for vulnerabilities against industry published catalogues of defects and security reports.
On an annual basis, Othis undertakes to submit to a penetration test. We engage with an external security firm to review our application security and perform regular security checks. We conduct internal systems security and failover tests every six months. Security restrictions are reviewed every time changes are made to the system – with the Principle of Least Privilege being one of the core test criteria.
In addition to internal systems, Othis conducts a security review of all third-party vendors when considering hiring. Similarly, we conduct basic background checks on all Othis employees and contractor prior to hiring them. In addition, we enforce the policy that only employees in the EU can have access to any client information.
Our servers are located in high security data centers and comply with the highest security standards to ensure safety and anonymity. Our primary data storage and backup storage is in the European Union.
All information within Othis is end-to-end encrypted both while it's at rest (stored) and during transit. End-to-end encryption makes the data is only readable by the specific user. This ensures that client data is protected from unauthorized access and is highly secure from potential breaches or interception.
In adherence to data access and security measures, we enforce Multi-Factor Authentication that requires users to provide two or more forms of identification before gaining access to an account or system. This adds another security layer to protect the integrity and security of all client data.