Software for the work that cannot fail quietly.

TLS 1.3 with strong cipher suites only. HSTS preload enabled. Certificate pinning supported for institutional networks. No legacy protocols accepted.

AES-256 envelope encryption for all stored data, including database records, document attachments, and audit logs. Per-tenant data encryption keys, rotated quarterly. Backup encryption uses separate key hierarchy.

Institutions on Enterprise plans can provide their own KMS keys. OnePointe operations cannot decrypt your data without your active key authorization. You retain full revocation control.

Highly sensitive fields — names, identifiers, free-text narratives — are individually encrypted with separate keys, so a compromised database snapshot reveals only structure, not content.

SAML 2.0 and OpenID Connect supported on all plans. Native integrations with Okta, Microsoft Entra ID, Google Workspace, and Shibboleth.

Required for all administrators. Configurable MFA policies for end users. WebAuthn / FIDO2 hardware keys, TOTP, and push-based options supported.

Eight built-in roles with clear capability boundaries. Custom roles available for institutions with bespoke org structures. Permission inheritance is explicit and auditable.

Configurable session timeout (default 30 minutes idle, 8 hours absolute). Concurrent session limits. IP allowlisting available. Forced sign-out on permission change.

Every read, every edit, every export — captured with user, timestamp, IP address, and reason code where applicable. No retroactive edits to the audit log itself; corrections are appended, never overwritten.

Stream audit events to your existing SIEM (Splunk, Sentinel, Datadog, Sumo Logic) via webhook or syslog. Available on Enterprise plans.

Automated alerts for unusual access patterns: bulk exports, off-hours access, unusual geographic locations, repeated failed sign-ins. Configurable thresholds per institution.

Configurable retention policies aligned to FERPA, Title IX, and state mandates. Legal hold suspends all retention rules for selected records. Defensible deletion with cryptographic shredding.

Primary: AWS us-east-1 (Northern Virginia). Failover: us-west-2 (Oregon). FedRAMP-eligible regions available for institutions with federal contracts.

99.95% uptime SLA on Enterprise plans. Status page at status.onepointe.ai with real-time component health and historical incidents.

Encrypted backups every 15 minutes, retained 90 days. Point-in-time recovery to any second within 35 days. RPO under 5 minutes; RTO under 1 hour.

Logical isolation by default with per-tenant encryption keys. Dedicated single-tenant deployments available on Enterprise plans for institutions with strict isolation requirements.

Independent third-party penetration tests every six months by NCC Group. Latest report available under NDA via your account manager.

All dependencies scanned daily. Static analysis runs on every pull request. Critical vulnerabilities patched within 24 hours; high within 7 days.

Active bug bounty program at onepointe.ai/security. Acknowledged within 24 hours; payouts up to $25,000 for critical findings.

Every security-relevant change is published to a public changelog with CVSS scoring, affected components, and remediation steps. Subscribe via RSS or email.

Contractual notification within 24 hours of incident confirmation, including a preliminary impact assessment and our response timeline. State-specific breach notification handled in parallel.

Each institution has a designated incident contact and a private Slack/Teams channel for real-time coordination during active events.

Public post-mortems for any incident affecting more than one institution, published within 14 days. Root cause analysis, contributing factors, and corrective actions all documented.