Careers Contact
Security & Compliance — OneSupport, Inc.
Security & Compliance

Stay Ahead of Risk.

OneSupport, Inc. Effective Date: January 1, 2026 Last Updated: 2026

Security and compliance aren't checkboxes — they're woven into every layer of how OneSupport, Inc. operates. From end-to-end encryption and multi-factor authentication to strict access controls, we ensure your data and systems are always protected. Our solutions are built to meet the highest regulatory standards — including HIPAA, PCI DSS, and SOC 2 — so you can focus on your business, knowing your infrastructure is secure, compliant, and ready for whatever comes next.

Section 01

Overview

OneSupport's security model is not reactive — it's structural. Our infrastructure and operations are purpose-built to meet the most rigorous regulatory requirements across healthcare, finance, government, and enterprise environments.

Every layer of our platform is independently hardened, continuously monitored, and aligned to the compliance frameworks your industry requires. A gap at one level never creates exposure at another.

Certifications in scope: HIPAA · SOC 2 Type II · SSAE 16 · FIPS 140-2 · PCI DSS applicable controls. For regulated environments, separate Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs) are available upon request.
Section 02

Regulatory Frameworks

Our platform and operating model are certified and audited against the frameworks that matter most to your organization and the regulators you answer to. Each certification is maintained through continuous monitoring, not point-in-time snapshots.

01
Healthcare
HIPAA Compliant
We safeguard protected health information with HIPAA-compliant solutions — advanced security, detailed reporting, and policy enforcement that keep your systems continuously audit-ready.
02
Data Security
SOC 2 Type II
Built on the AICPA's trust principles of security, confidentiality, and processing integrity — keeping your customer data continuously monitored, controlled, and protected.
03
Audit
SSAE 16 Accredited
SSAE 16–accredited email security, archiving, and continuity — with 24/7 availability, intelligent threat filtering, and real-time protection against evolving email-borne risks.
04
Encryption
FIPS 140-2
Federally recognized encryption using FIPS-compliant OpenSSL cryptographic modules — securing data in transit, protecting session integrity, and meeting government security mandates.
05
Cryptography
ECDH Key Agreement
ECDH key agreement ensures session keys are exchanged securely over untrusted networks — delivering forward secrecy, interception resistance, and audit-ready compliance.
06
Access Control
Two-Factor Authentication
Role-based access controls and TOTP-based 2FA ensure only verified, authorized users reach your systems — adding a critical layer of defense against unauthorized access and breaches.
Section 03

HIPAA

OneSupport is fully HIPAA compliant, providing protected health information (PHI) safeguards across all customer-facing and internal systems. Our infrastructure supports covered entities and business associates under HIPAA by enforcing strict data handling policies, audit logging, and access controls.

PHI Handling

All PHI is encrypted in transit and at rest. Access is restricted to authorized personnel under role-based controls, with full audit trails maintained for all access events. We sign Business Associate Agreements (BAAs) with all applicable clients prior to any PHI being transmitted.

Continuous Audit Readiness

Our HIPAA controls are not annual snapshots. Policy enforcement engines and automated auditing tools continuously validate the environment against HIPAA's required safeguards — generating compliance evidence on demand for your audit submissions.

BAA availability: Organizations operating in healthcare should contact our compliance team to review BAA terms and confirm specific control mappings applicable to their environment before transmitting PHI.
Section 04

SOC 2

Our SOC 2 Type II certification covers the AICPA Trust Services Criteria for Security, Availability, Confidentiality, and Processing Integrity. Annual third-party audits validate continuous operational compliance — not just a point-in-time snapshot.

Scope of Coverage

  • Security — logical and physical access controls, change management, risk mitigation
  • Availability — system uptime, incident response, business continuity
  • Confidentiality — data classification, encryption, access restriction
  • Processing Integrity — complete, valid, accurate, timely processing
Available upon request: Current SOC 2 Type II report, control matrix, and supporting evidence packages for enterprise procurement and vendor assessment processes. Contact your account manager or our compliance team.
Section 05

SSAE 16

OneSupport holds SSAE 16 accreditation for its email security, archiving, and continuity services. SSAE 16 (Statement on Standards for Attestation Engagements No. 16) is the authoritative standard for reporting on service organizations' controls.

Our SSAE 16–accredited email infrastructure provides 24/7 availability with intelligent threat filtering, real-time protection against advanced email-borne risks, and compliant archiving for regulatory retention requirements.

Coverage Areas

  • Inbound and outbound email security filtering
  • Email continuity and failover during outages
  • Compliant email archiving with configurable retention policies
  • Advanced threat protection including zero-day and phishing defense
Section 06

Encryption & FIPS 140-2

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. OneSupport uses FIPS 140-2 validated cryptographic modules — the standard required by U.S. federal agencies, government contractors, and highly regulated industries globally.

FIPS 140-2 Validated Modules

FIPS 140-2 is the U.S. government standard for cryptographic modules. Our use of FIPS-compliant OpenSSL modules ensures that every cryptographic operation — key generation, encryption, decryption, hashing — meets the federally mandated security requirements for protecting sensitive unclassified information.

Cryptographic standards in use: TLS 1.2 / TLS 1.3 · AES-256 at rest · FIPS 140-2 OpenSSL modules · ECDH key agreement · SHA-256 certificate hashing
Section 07

ECDH Key Agreement

OneSupport uses Elliptic Curve Diffie-Hellman (ECDH) key agreement to establish session keys for all encrypted communications. ECDH provides forward secrecy — meaning that even if a long-term private key is compromised in the future, past session traffic cannot be retroactively decrypted.

Why Forward Secrecy Matters

In traditional RSA key exchange, session keys are encrypted using the server's long-term public key. If that key is later compromised, all recorded past sessions can be decrypted. ECDH eliminates this risk by generating a unique, ephemeral key pair for every session that is discarded after use and never stored.

  • Session keys are generated per-connection and destroyed after session termination
  • Compromise of long-term keys does not expose past communications
  • Meets forward secrecy requirements under NIST SP 800-52 and PCI DSS
  • Interception-resistant across untrusted network segments
Section 08

Access Control & Two-Factor Authentication

Access to all systems and customer data is governed by least-privilege role-based access control (RBAC). Technician and administrator accounts are provisioned on a need-to-know basis with full audit logging of all access events.

MFA Requirements

Multi-factor authentication (MFA) is mandatory for all internal systems. TOTP-based 2FA is enforced for all privileged accounts. Sessions are time-limited and automatically terminated on inactivity.

Privileged Access

Administrative access to production systems requires approval workflows, just-in-time access provisioning, and is logged in immutable audit trails retained per applicable compliance requirements.

Security notice: OneSupport will never request your account password or MFA codes via email, chat, or telephone. If you receive such a request purportedly from OneSupport, treat it as fraudulent and contact your account representative immediately.
Section 09

Security Architecture

OneSupport's security model is built in independent layers. Each layer is hardened and monitored separately, so a failure at one level does not cascade into exposure at another. The six layers of our security stack are:

01
Network Perimeter Defense
Advanced firewall rules, intrusion detection, and real-time traffic analysis prevent unauthorized access at the network boundary before threats reach internal systems.
02
Endpoint Protection & EDR
Next-generation antivirus, device discovery, and Endpoint Detection & Response (EDR) ensure every managed device is continuously monitored, patched, and secured.
03
Identity & Access Management
Role-based access controls, multi-factor authentication, and TOTP protocols ensure only verified, authorized users can reach sensitive systems and data.
04
Data Encryption in Transit & at Rest
FIPS 140-2 compliant cryptography and ECDH key agreement secure all data across every channel — from internal communications to customer-facing APIs.
05
Backup, Recovery & Business Continuity
Automated backup schedules, point-in-time recovery, and geographic redundancy protect against data loss and keep operations running during any disruption.
06
Continuous Compliance Monitoring
Policy enforcement engines and automated auditing tools continuously validate your environment against required compliance frameworks — generating reports on demand.
Section 10

Capabilities

Every capability below is active, monitored, and available across all OneSupport client environments. Nothing here is optional or add-on — it is the baseline of how we operate.

🔍
Threat Intelligence
Real-time threat feeds and behavioral analytics detect anomalies before they become incidents.
🖥️
24/7 Monitoring
Round-the-clock network, device, and system monitoring with automated alerting and incident response.
🔐
Multi-Factor Auth
TOTP-based two-factor authentication and role-based access prevent unauthorized credential use across all systems.
🌐
Web Protection
Advanced web filtering blocks malicious content, phishing domains, and unauthorized traffic in real time.
✉️
Email Security
SSAE 16–accredited filtering, continuity, and archiving protect communications against advanced threats.
💾
Backup & Recovery
Automated backup, point-in-time recovery, and failover ensure data is always recoverable and operations never stop.
🔎
Vulnerability Scanning
Continuous scanning and patch management close security gaps before they can be exploited by threat actors.
📋
Compliance Reporting
On-demand audit reports, policy documentation, and evidence packages for regulatory submissions across all major frameworks.
Section 11

Monitoring & Incident Response

OneSupport operates a continuous security monitoring program covering all production systems, endpoints, and network segments. Automated alerting thresholds are tuned to detect behavioral anomalies, unusual access patterns, and potential indicator-of-compromise events in real time.

Incident Response Protocol

In the event of a confirmed or suspected security incident, OneSupport follows a documented incident response plan aligned to NIST SP 800-61. The five stages of our IR protocol are:

  1. Preparation — Maintained runbooks, trained responders, and tested playbooks for common incident types.
  2. Detection & Analysis — Automated SIEM alerts with 24/7 analyst review and severity classification.
  3. Containment — Immediate isolation of affected systems to prevent lateral movement.
  4. Eradication & Recovery — Root cause elimination, clean restoration, and integrity verification before service resumption.
  5. Post-Incident Review — Written findings and remediation commitments shared with affected clients within agreed SLA windows.

Clients are notified of incidents affecting their environments within the timeframes required by applicable law and as defined in their executed service agreement.

Section 12

Data Handling

OneSupport handles customer data with the same standards applied to its own most sensitive internal information. Data classification, retention, and destruction policies are enforced programmatically — not relying solely on manual process adherence.

Data Classification

  • Public — Information approved for unrestricted external distribution.
  • Internal — Business information for authorized internal use only.
  • Confidential — Customer data, financial records, and operational data requiring protection.
  • Restricted — PHI, PCI data, credentials, and regulated data under strict controls.

Retention & Destruction

Customer data is retained for the duration of the service relationship and for any period required by applicable law or the executed service agreement. Upon contract termination, data is made available for client export for thirty (30) days, after which it is destroyed using NIST 800-88–compliant methods.

Regulated Environments

Customers operating under HIPAA, PCI DSS, or federal contracting requirements should execute a Data Processing Agreement (DPA) or Business Associate Agreement (BAA) with OneSupport prior to transmitting regulated data. Contact your account representative for details.

Section 13

Contact Information

For questions about our security posture, compliance certifications, or to request audit documentation — including SOC 2 reports, BAAs, or DPAs — please contact our Security & Compliance team:

Security & Compliance
OneSupport, Inc.
350 Barnes Drive, Suite 109
San Marcos, TX 78666

For general inquiries, visit our contact page.

Have questions about security or compliance?

Our team responds within one business day. No robo-responses, no runaround.

Talk to an Expert