POD header 02 POD header mobiel 01
SECURITY
White paper

We offer a Data Exchange Platform where both flex workers and agencies are in a position to save their data once, and subsequently share this data as often and for as long as they wish.

Our goal is that an data owner or an agency – as an Only Once member or client – can use our service to answer a plethora of repeated information requests on his behalf: the member controls his/her own data and decides which data consumers may access it. This also implies that Only Once must ensure data privacy and data security, and therefore privacy and security are cornerstone criteria in all aspects of the Only Once company: from human resources to database design, from innovation and development methods to daily operations, from the highest standards we demand from our suppliers to an internal culture of continuous improvement and managing risk. 

This white paper outlines Only Once’s main security controls in areas relevant to our members and clients.

Manifesto

Only Once has defined an manifesto, defining our core principles, values and beliefs. One of them is ‘privacy and security by design’. For more information, please refer to the manifesto page

Platform based on Solid/Inrupt

We meticulously address the core principles and standards advocated by Solid, the innovative architecture developed by Inrupt. Our commitment to data sovereignty, decentralization, and user empowerment aligns seamlessly with Solid's security principles. By adhering to Solid's robust standards, we ensure the confidentiality, integrity, and availability of user data within our system. Complying to Solid’s principles underscores our dedication to fostering a secure digital environment, where flex workers have control over their business information, in line with the progressive ethos of Solid architecture. For more info, read https://www.mdpi.com/2078-2489/14/7/411

Staffing

New employees are subject to pre-employment screening: they must provide certificates of conduct, and their education, previous employers and other references are checked. All employees undergo periodic security and privacy awareness programs. Management oversees and organizes the security and privacy training that employees need for their role.

Only Once fosters an open culture, with ample room to share findings and to continuously improve the system. When people change roles, their privileges are updated in line with their new roles. At employment end, an security aware exit procedure is followed: knowledge transfer is arranged, the parting employee is reminded of non-disclosure agreements, all access is revoked, and all company assets (including information) must be returned to the company.

During orientation, all employees receive a code of conduct which includes a summary of the security guidelines within Only Once. These guidelines dictate the safe and secure handling of customer information, and to ensure safety with third parties. Only Once requires all employees to sign an NDA, and comply to its Code of Conduct. Depending on the function of the employee, additional security aspect knowledge may be required. For example, all Quality Assurance employees have increased knowledge of automated security tests for all features within Only Once.

Where applicable, the above controls are also applied to subcontracted parties.

Asset management

There is an administration of all assets that are part of the Only Once platform, including those for its supporting functions. All assets are classified on confidentiality, integrity, availability. Privacy is of course taken into account in this classification.

Information handling

Only Once assists its members in maintaining their own data correct and secure. This is done by informing end-users with guidance, how-to’s, backgrounds on how data is processed, and awareness information. At membership end, all personal data is safely purged by Only Once.

Only Once users can use a mobile app to access the platform and their POD’s. Only Once provides them with advice how to secure their own devices, but the users remain responsible for their own devices.

Type of data stored

Only Once is a business platform and therefore we primarily store business data which is mostly publicly accessible such as: company name, company address, bank information, etc. Other information like first name, availability, certificates, resume is also stored, but can also be found in almost all cases also on the internet/Linkedin. Only Once does not store ytd any sensitive documents or other privacy sensitive information.

Security operations/firewalls

Only Once security monitoring is focused on information gathering from all sources of traffic. This is attained with an end-to-end monitoring tool which includes application monitoring, database monitoring, internet traffic, and furthermore inspects suspicious behaviour within the network. This is achieved through AWS services such as Guard Duty, WAF and CloudWatch. With this application, the security monitoring team has a 24/7 live feedback system to minimize any issues on the platform.

Only Once has strict processes on how to detect incidents and how to deal with them. This process specifies the courses of action, procedures, analytics, solution and documentation. Incidents involving customer data will have the highest priority for the incident response teams. Customers will then be informed. Based on the incident severity and impact, measures will be taken to prevent reoccurrence.

Access control & Restrictions

Only Once makes use of proven authentication methods and standards. As an open platform, Only Once is initially based on self-claimed identities. The Only Once architecture is ready to also support higher identity assurance levels in future use cases. When accessing an account, a OTP is minimally required and is role based (RBAC). This will be replaced in the near future with WebID/POD ID.

All authorizations are based on the principles of least privileges and need-to-know. Authorizations are checked periodically. We also use AI threat intelligence to protect our login server. In parallel as well as on the App stores and AWS suspicious countries are blocked from access (Allow List).

Regulatory compliance

Only Once fully complies with GDPR. Privacy-by-design is the foremost principle of Only Once. The use of personal data is under control of the owning member. Only Once provides end-user interfaces to access, correct, share and remove member data.

Ownership of all information exchanged using Only Once service is owned by the users of Only Once. Only Once does not claim any ownership of this data. A member’s data is not accessible to Only Once employees.

Only Once may only use some personal data as provided by a member or client: to provide service or support, or if so required by law. The latter could include the release of information necessary for preventing or combatting fraud, necessary for dispute resolution, or for any other pressing legitimate need which under those specific circumstances outweighs privacy interests, such as security of our business, and the safety of our staff. For more in-depth information, read the privacy statement here: Home  

Only Once has a process in place to handle data breaches, would they occur. All data access is logged, monitored and is available for auditing.

Periodic threat and risk assessments

Only Once applies security and privacy baselines to all assets, based on their classification.

The company performs periodic threat and risk assessments to mitigate relevant risks. The company’s CEO is a strong advocate of hyper security, and continuously communicates with his/her employees about new threats, techniques, and risks.

Service continuity

To ensure your data is secure, and is always available, Only Once incorporates a backup management policy. This policy includes redundant storage, encrypted storage locations, and a contingency plan regarding incidents of environmental complications. The data on these backups are all encrypted with the user's secret key, and no one has a way to view this data.

System and network security (AWS)

A member’s personal data is stored in POD’s, currently still on AWS during MVP. The new decentralised architecture will be deployed in the near future, allowing members to store their POD data anywhere they want. Storage spaces are encrypted, so data is unreadable to the infrastructure service providers. Only Once therefore has full control over how data is managed.

All components under control of Only Once are hardened to remove security vulnerabilities. Anti-malware provides detective and corrective response on managed environments. Context-based security is applied for remote access to Only Once systems. The mobile app is continuously updated to conform to current security guidelines and best practices.

Internet connections are secured with HTTPS/TLS (Transport Layer Security) to provide confidentiality and integrity.

Secure Software development

Only Once makes use of a strictly controlled development lifecycle which includes quality assurance tollgates. Separate environments are used (MVP D&P, in the near future full DTAP), each with its own purpose and authorizations. Developers can’t see production data. Changes are grouped into releases, for which designs and test cases are developed. Automated testing, code reviewing, quality gates, and security reviews are applied to enhance code security using Testomat. Vulnerability scanning and security testing are standard procedures for all deployments, using SonarCloud. The CI/CD pipeline is fully automated, which mitigates the risk of manual errors.

Only Once collaborates with security testing experts and suppliers to perform penetration tests, back and whitebox. Only Once anticipates on security threats by using security tools that are highly recommended within the security community. Only Once is fully aware of the fact that security validation is done best with multiple sources of input.

Regular security tests are scheduled, and the engineering team has a security driven approach. However, there is always a risks of bugs. If any of these bugs are found within the software of Only Once, Only Once will immediately alert its users, and disclose all information relating to the vulnerability after it is fixed.

All sources are stored at Only Once and at a supplier and therefore have full source code control. Source code is continuously being scanned by SonarCloud.

Privacy & GDPR

We support GDPR into its full extend. Please checkout our GDPR article on our website.

ISO27001 certified

Only Once envisions to further develop and formalize its information security management system – including its suppliers and service providers – as it grows, conforming to the international ISO27001/ISO27002 standards. All changes undergo a formal process before they are applied.

Our company is current in the process of ISO27001 certification and have developed the first needed artifacts.

Conclusion

The security of your POD data is the primary design consideration for all of Only Once infrastructure, features, services, processes and personnel operations.  Our employees are skilled professionals that can address vulnerabilities quickly, or prevent them in the design process. Because the security of your data is our main concern we strive to improve on our security on a daily basis. Only Once will continue to invest in our security platform to allow the user to safely access to his personal data at all time.