General
      Back to home
      1. opus1io Knowledge Base
      2. General

      Security Best Practices F.A.Q

      This article provides answers to commonly asked security questions about the Opus1.io platform.

      Latest revision: 1/23/2024

      Data Protection and Privacy

      Availability

      Security Measures

      Vendor Reputation and Compliance

      Incident Response and Recovery

      User Access and Permissions

      Data Ownership and Portability

      Data Protection and Privacy

      1. How is customer data stored and encrypted within the Opus1.io infrastructure?

        Customer data is stored and encrypted within the platform which is hosted on AWS in us-west-2 and us-east-1 region, on a service called DynamodDB, using robust security measures to ensure its confidentiality and integrity. The  platform employs advanced encryption algorithms to encrypt customer data at rest and in transit, safeguarding it from unauthorized access. 

        Additionally,  Opus1.io follows industry best practices and compliance regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to ensure that customer data is protected. These regulations outline specific requirements for data storage, processing, and encryption, and the CRM platform adheres to these guidelines to maintain data privacy and security.

        To further enhance data protection, the platform has underwent independent security audits and assessments to validate its system's integrity. These audits evaluate the effectiveness of the encryption methods, access controls, and overall security infrastructure in place. 

        More details and references can be found here:

        1. AWS Security  / Compliance Programs
        2. AWS DynamoDB controls
      2. Does the platform comply with relevant data protection regulations such as GDPR, CCPA, or other industry-specific standards?
        Yes - see our Data Privacy Policy published on our website. 

      3. What measures are in place to prevent unauthorized access to sensitive customer information?

        To prevent unauthorized access to sensitive customer information, Opus1.io implements a range of security best practices. These include the use of two-factor authentication (2FA) and yubikey FIPS 140-2 encryption.

        Two-factor authentication adds an extra layer of security by requiring users to provide two forms of identification before accessing the platform. This typically involves something the user knows (such as a password) and something the user possesses (such as a mobile device for receiving a verification code).

        YubiKey FIPS 140-2 encryption is a hardware-based security key that provides secure authentication by generating one-time passwords. This encryption method ensures that even if a user's password is compromised, the attacker would still need physical access to the YubiKey device to gain unauthorized access.

        In addition to these measures, Opus1.io maintains tight access control with IAM (Identity and Access Management) roles on AWS. IAM allows for the creation of fine-grained access policies, enabling administrators to define specific permissions for different user roles. This ensures that only authorized individuals have access to sensitive customer information.

        By implementing these security measures, Opus1.io prioritizes the protection of customer data and mitigates the risk of unauthorized access.

      4. How are customer credit cards, handled stored and secured?

        Opus1.io places a high priority on ensuring the security and protection of customer credit card data. In order to provide the utmost level of security, Opus1.io does NOT store or handle credit card data. Instead, customers directly enter their credit card information with our trusted payment processor partners, Fiserv / Clover Connect and Stripe. These payment processors tokenize credit card information and are responsible for storing and processing it.

        Our payment partners are leaders in the industry and adhere to the necessary level of PCI-DSS compliance, which establishes the standard for secure handling of credit card data. By partnering with these reputable payment processors, Opus1.io can guarantee that customer credit card data is handled, stored, and secured in a manner that is both safe and compliant.

      Availability

      1. What measures are in place to ensure high availability of the system?
        Opus1.io operates out of two AWS Regions (us-east-1 and us-west-2) in an active-passive setup. In this setup, one region serves as the primary region while the other region acts as a backup. This setup provides opus1.io with the ability to quickly and easily switch to the backup region in the highly unlikely event of a disaster that renders the primary region completely unavailable.
        Each AWS region consists of multiple datacenters that are located miles apart from each other. This geographical dispersion adds an extra layer of protection, ensuring that even if one datacenter is affected by a localized issue, the other datacenters in the region remain operational. This distributed infrastructure significantly enhances the overall resilience and availability of the opus1.io platform.
        To further improve availability, opus1.io utilizes high availability serverless and distributed systems provided by AWS. These systems operate on multiple datacenters in a high availability mode. For example, AWS Lambda allows for code execution without the need for server provisioning or management, and AWS ECS (Elastic Container Service) enables the deployment and management of containers at scale. Additionally, opus1.io leverages AWS S3 (Simple Storage Service) for scalable and durable object storage, and AWS DynamoDB for a fully managed NoSQL database.
        By leveraging these technologies, opus1.io ensures an exceptionally high level of availability for its platform. The active-passive setup, coupled with multiple datacenters in each region and the use of high availability serverless and distributed systems, creates a robust and resilient infrastructure that minimizes the risk of downtime and ensures uninterrupted service for opus1.io customers.

      Security Measures

      1. What type of security protocols and standards does the Opus1.io platform adhere to?

        Opus1.io adheres to a comprehensive set of security protocols and standards to ensure the protection of customer data. The platform follows industry best practices around data security, including robust measures in the areas of access control, network security, compliance, user security awareness, change management, patch and update management, and incident response.

        In terms of access control, Opus1.io employs stringent authentication methods such as two-factor authentication (2FA) and yubikey FIPS 140-2 encryption. These measures add an extra layer of security by requiring users to provide multiple forms of identification before accessing the platform.

        Network security is prioritized through the implementation of secure communication protocols and the use of firewalls and intrusion detection/prevention systems. These measures safeguard against unauthorized access and protect against potential cyber threats.

        Compliance with relevant regulations and standards is also a key aspect of Opus1.io's security protocols. The platform adheres to industry-specific standards and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By following these guidelines, Opus1.io ensures that customer data is handled in a manner that meets legal requirements and industry best practices.

        User security awareness is another important aspect of Opus1.io's security protocols. The platform provides training and resources to help users understand the security features and best practices in accessing customer data and the platform in general. These Trainings raise awareness regarding security risks and promote the safe use of the platform by our employees.

        Change management is a critical component of Opus1.io's security protocols. The platform implements robust processes for managing changes to its infrastructure and software, such as code reviews, security & risk assessments and automated testing to ensure that any updates or modifications are thoroughly tested and do not introduce vulnerabilities.

        Patch and update management is also prioritized to address any security vulnerabilities that may arise. Opus1.io regularly monitors and applies patches and updates to its systems to protect against known vulnerabilities and ensure the security of customer data.

        Lastly, Opus1.io has an incident response plan in place. In the event of a security incident or data breach, the platform promptly responds to mitigate potential damage. This includes conducting thorough investigations, implementing remediation measures, and communicating with affected parties as necessary.

      2. Are there robust measures in place to guard against cyber attacks, phishing, and other security threats?
        Yes, Opus1.io has implemented robust measures to guard against cyber attacks, phishing, and other security threats. These measures include employee security awareness training, tight access control, need-to-know basis access, defense in depth, and a Web application firewall with automated IP Bans based on unusual attack patterns.

        Employee security awareness training plays a crucial role in preventing security incidents. By educating employees about potential risks and teaching them best practices for identifying and avoiding phishing attempts or other forms of social engineering, Opus1.io ensures that its staff is well-equipped to recognize and respond to security threats.

        Tight access control is another important measure implemented by Opus1.io. Only authorized individuals have access to sensitive customer information, and even among those individuals, access is restricted on a need-to-know basis. This ensures that customer data is only accessible to those who require it for their job responsibilities, minimizing the risk of unauthorized access. 2-Factor Strong Authentication with FIPS 140-2 level encryption is enforced for all employees accessing customer data.

        In addition, Opus1.io follows the principle of defense in depth, which involves layering multiple security measures to provide overlapping protection. This approach includes implementing multiple security controls, such as firewalls, intrusion detection/prevention systems, and encryption, to create multiple barriers that an attacker would need to overcome.

        To further protect against web-based attacks, Opus1.io employs a Web application firewall (WAF) that automatically identifies and blocks malicious traffic. This WAF uses advanced algorithms to analyze incoming requests and detect unusual attack patterns. In case of any suspicious activity, the WAF automatically applies IP Bans, preventing further access from those sources.

      3. Does the platform offer multi-factor authentication and secure login processes to protect against unauthorized access?

        Yes, the platform enforces multi-factor authentication and secure login processes to protect against unauthorized access. All employees are required to use two-factor authentication (2FA) when accessing the platform's production systems. The 2FA method employed is hardware-based, using Yubikeys FIDO/U2F that comply with FIPS 140-2 up to Level 3 standards and NIST SP800-63B guidelines.

        By implementing this strong authentication method, the platform ensures that only authorized individuals with a Yubikey device can access sensitive customer data. Two-factor authentication adds an extra layer of security by requiring users to provide two forms of identification, typically a password and a verification code generated by the Yubikey. This significantly reduces the risk of unauthorized access to the platform.

        The use of hardware-based Yubikeys FIDO/U2F with FIPS 140-2 up to Level 3 encryption provides an additional layer of protection. Even if a user's password is compromised, the attacker would still need physical access to the Yubikey device to gain unauthorized access. This adds an extra level of security to prevent unauthorized access in case of a password breach.

      Reputation and Compliance

      1. What is our track record regarding data breaches and security incidents?

        To date, Opus1.io has maintained an impeccable track record when it comes to data breaches and security incidents. We have never experienced a breach or incident that resulted in the compromise of customer data. This demonstrates our commitment to ensuring the utmost security and protection for our customers' sensitive information.

        By following industry best practices, implementing robust security measures, and prioritizing the safeguarding of customer data, Opus1.io has successfully mitigated the risk of unauthorized access and maintained the integrity of our platform. Our adherence to stringent authentication methods, such as two-factor authentication (2FA) and yubikey FIPS 140-2 encryption, adds an extra layer of security that significantly reduces the likelihood of data breaches.

        Furthermore, Opus1.io continuously undergoes independent security audits and assessments to validate the integrity of our systems. These audits provide a comprehensive evaluation of our security protocols, identifying any potential vulnerabilities and ensuring that we meet the highest standards of data protection.

        Our commitment to security goes beyond audits and assessments. We also prioritize incident response and recovery. In the event of a security incident or data breach, Opus1.io has established protocols to promptly respond and mitigate any potential damage. Thorough investigations are conducted to identify the root cause of the incident, and remediation measures are implemented swiftly to prevent any further compromise of customer data.

        By continuously strengthening our security measures, staying up to date with the latest industry standards, and investing in robust incident response procedures, Opus1.io remains dedicated to maintaining the trust and confidence of our customers.

      2. Have we undergone independent security audits and assessments to validate Opus1.io system's integrity?
        Yes  
      3. What documentations demonstrating compliance with security certifications or standards are available?

        This document expands on our security standards and best practices, providing a comprehensive overview of Opus1.io's commitment to protecting customer data. In addition to the information provided in this knowledge article, our published Data Privacy document includes further relevant details about our security certifications and compliance with industry standards.

        Our security standards and best practices are designed to ensure the utmost protection of customer data and safeguard against unauthorized access. We employ stringent authentication methods, such as two-factor authentication (2FA) and yubikey FIPS 140-2 encryption, to add an extra layer of security. These measures require users to provide multiple forms of identification before accessing the platform, significantly reducing the likelihood of data breaches.

        In terms of network security, Opus1.io prioritizes the implementation of secure communication protocols and utilizes firewalls and intrusion detection/prevention systems. These measures protect against unauthorized access and potential cyber threats, providing a secure environment for customer data.

        Compliance with relevant regulations and standards is a key aspect of Opus1.io's security protocols. Our platform adheres to industry-specific standards, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By following these guidelines, we ensure that customer data is handled in compliance with legal requirements and industry best practices.

        In addition to the security measures and compliance mentioned, Opus1.io places emphasis on user security awareness. We provide training and resources to help users understand the security features and best practices for accessing customer data and the platform. These trainings raise awareness regarding security risks and promote the safe use of the platform by our employees.

        Change management and patch/update management are critical components of our security protocols. We implement robust processes for managing changes to our infrastructure and software, ensuring that any updates or modifications are thoroughly tested and do not introduce vulnerabilities. Additionally, we regularly monitor and apply patches and updates to our systems to address any security vulnerabilities that may arise.

        In the event of a security incident or data breach, Opus1.io has an incident response plan in place. We promptly respond to mitigate potential damage, conducting thorough investigations, implementing remediation measures, and communicating with affected parties as necessary. This commitment to incident response and recovery further reinforces our dedication to maintaining the trust and confidence of our customers.

        In summary, Opus1.io goes above and beyond to protect customer data and guard against cyber attacks, phishing, and other security threats. Our robust security measures, employee training, tight access control, multi-factor authentication, and compliance with regulations and standards ensure the utmost security and integrity of our platform.

      Incident Response and Recovery

      1. Are there protocols in place to promptly respond to security incidents and mitigate potential damage?

        Yes, Opus1.io has established protocols to promptly respond to security incidents and mitigate potential damage. In the event of a security incident or data breach, the platform follows an incident response plan. This plan outlines the necessary steps and actions to be taken in order to effectively address and contain any security issues.

        The incident response plan includes a designated response team comprised of experienced security professionals who are trained to handle various types of security incidents. These individuals are responsible for quickly assessing the situation, identifying the root cause of the incident, and implementing appropriate remediation measures.

        Upon detecting a security incident, Opus1.io activates its incident response team, ensuring that the necessary resources and expertise are available to respond promptly. The team works diligently to contain the incident and prevent any further compromise of customer data. They conduct thorough investigations to determine the scope and impact of the incident, as well as to identify any vulnerabilities or weaknesses in the system.

        Once the incident has been contained, Opus1.io takes immediate action to mitigate potential damage. This includes implementing remediation measures, such as patching vulnerabilities, updating security controls, and strengthening access controls. The platform also communicates with affected parties, providing timely and transparent updates on the incident and any necessary steps for customers to take.

        Opus1.io understands the importance of effective incident response and recovery. By promptly responding to security incidents and mitigating potential damage, the platform demonstrates its commitment to safeguarding customer data and maintaining the trust and confidence of its users. Through continuous monitoring, improvement of security measures, and adherence to best practices, Opus1.io ensures a robust incident response capability to protect against potential threats and vulnerabilities.


      User Access and Permissions

      1. Can the platform support granular user access controls and permissions to limit access to sensitive customer data?

        Yes, the platform supports granular user access controls and permissions to effectively limit access to sensitive customer data. We have implemented multiple roles within the system, including anonymous clients, clients, limited staff, staff, managers, and owners. Each role is assigned a specific set of permissions that determine what actions they are allowed to perform within the platform.

        These roles and permissions are regularly reviewed to ensure they align with the needs of our users and the security requirements of our customers. By regularly reviewing and updating these roles and permissions, we can maintain a secure and controlled environment for accessing sensitive customer data.

        In addition to role-based access controls, we also have a specific "super user" role for select employees. This role grants them access to the data they need to perform their job duties effectively. This ensures that employees have the necessary access to fulfill their responsibilities while still maintaining the highest level of data security.

        By implementing granular user access controls and permissions, we can limit access to sensitive customer data to only those individuals who require it for their specific roles and responsibilities. This helps prevent unauthorized access and reduces the risk of data breaches or incidents.

        Overall, our platform is designed to prioritize the security and privacy of our customers' data. Through the use of granular user access controls, regular review of roles and permissions, and the specific "super user" role for employees, we ensure that sensitive customer data is accessed only by authorized individuals, maintaining the integrity and confidentiality of the information.

      2. Are there options for auditing and monitoring user activities within the platform to detect any unauthorized actions?

        Yes, Opus1.io utilizes AWS CloudWatch as part of its comprehensive security measures. AWS CloudWatch is a monitoring and management service that allows us to monitor and review logs for any unauthorized actions within our platform. By leveraging this powerful tool, we can proactively detect and respond to potential security threats or breaches.

        With AWS CloudWatch, we have established robust procedures to continuously monitor and analyze the logs generated by our platform. These logs capture detailed information about user activities, system events, and resource usage. By regularly reviewing these logs, we can identify any suspicious or unauthorized actions that may pose a risk to the security of customer data.

        Our security team is responsible for monitoring and reviewing the logs in a timely manner. They have the expertise to analyze the logs effectively and identify any potential security incidents or unauthorized access attempts. In the event of any suspicious activity, the security team takes immediate action to investigate and mitigate the threat, ensuring the integrity and confidentiality of customer data.

        By leveraging AWS CloudWatch and implementing robust monitoring procedures, we can effectively detect and respond to unauthorized actions within our platform. This proactive approach allows us to maintain a secure environment for our customers and reinforces our commitment to protecting their data.

      Data Ownership and Portability

      1. What are the terms regarding data ownership within the CRM platform?
        Data ownership is covered in our Data Privacy Policy
      2. Can Opus1.io customers easily export and migrate customer data out of the platform in a standardized format if needed in the future?

        Yes, Opus1.io provides a seamless and efficient process for customers to export and migrate their customer data out of the platform in a standardized format if needed in the future. This includes personal information, schedule data, past attendance records, invoice details, and payment information.

        Customers have the option to export this data in CSV (Comma-Separated Values) format, which is a widely supported and standardized file format. CSV files can be easily opened and manipulated using various software applications, making it convenient for customers to access and utilize their data in other systems or platforms.

        To initiate the export process, customers can simply navigate to the appropriate section within the Opus1.io platform and select the desired data fields they wish to export. The platform then generates a CSV file containing the selected data, which can be downloaded and saved to the customer's local device or cloud storage.

        By offering the ability to export data in CSV format, Opus1.io ensures that customers have full control and ownership of their data. This empowers them to seamlessly transition to other systems or platforms if needed, without any loss or limitations on their valuable customer information.