Compliance & Certifications
We're honest about where we are. "In progress" is more useful to a buyer than a fake badge.
SOC 2 Type II
Audit underway. Auditor selected. Target completion Q2 2026. Controls across availability, security, and confidentiality trust service criteria.
In ProgressGDPR
Data minimization, purpose limitation, and processor agreement (DPA) available on request. EU data residency option available.
AlignedHIPAA
Business Associate Agreement (BAA) available for Enterprise customers with healthcare data requirements. Reach out to discuss scope.
EnterpriseISO 27001
On the roadmap following SOC 2 completion. Estimated program start Q3 2026.
RoadmapProcurement reviews: Request our security questionnaire response (CAIQ/SIG), pen test summary, or sign an MNDA using the form at the bottom of this page. We respond within 1 business day.
Data Handling
OnCallReady ingests only what's necessary to diagnose and resolve an incident. Here's exactly what we touch:
Alert payloads
Webhook bodies from Datadog, Prometheus, Grafana, PagerDuty, or your custom source. Structured alert metadata — no raw log streams.
Incident context
Outputs from runbook actions (command exit codes, service health check results). Minimal — enough to confirm resolution, not a full system snapshot.
Diagnostic telemetry
Intermediate diagnostic signals used during active resolution are processed in-memory and never written to disk or external storage.
Customer application data
Database contents, user PII, API responses from your application, source code. OnCallReady has no reason to touch these and does not.
Standard: 90 days
Incident records, resolution logs, and runbook execution histories are retained for 90 days. Configurable on Enterprise.
US & EU
Choose where your incident data lives. US (AWS us-east-1) or EU (AWS eu-central-1). Configured at account provisioning.
BYOK
Bring Your Own Key: customer-managed encryption keys via AWS KMS or HashiCorp Vault. Available on Enterprise tier.
Infrastructure Security
AES-256 encryption
All stored data — incidents, runbooks, resolution records — encrypted at rest with AES-256. Database volumes encrypted via Neon's provider-managed keys by default; BYOK on Enterprise.
TLS 1.3
All traffic between clients and OnCallReady, and between OnCallReady and your infrastructure integrations, requires TLS 1.3. Older protocol versions rejected.
HashiCorp Vault
Integration credentials and API keys are stored in Vault with short-lived dynamic secrets where supported. No long-lived credentials in environment variables or config files.
Zero-trust internal
Internal services authenticate every request. No implicit trust by network position. Lateral movement requires explicit credential, not just VPC membership.
Production infrastructure runs on Render (web tier) with Neon PostgreSQL (data tier). Both providers maintain their own SOC 2 certifications. Network isolation between tenants is enforced at the database connection pool level.
Access Controls
SSO / SAML
Okta, Azure AD, and Google Workspace supported via SAML 2.0. OIDC on roadmap. SSO enforcement (no password fallback) available on Enterprise.
SCIM provisioning
Automated user lifecycle via SCIM 2.0. Offboard a user in your IdP — they lose OnCallReady access within minutes, not days.
RBAC
Owner, Admin, Operator, and Viewer roles. Runbook authoring and execution are separate permissions. You control who can approve remediation actions.
MFA enforcement
TOTP-based MFA required on all accounts. Enterprise customers can enforce MFA org-wide and block non-SSO login paths.
Audit log streaming: Every action — runbook execution, incident state change, user login, credential rotation — is written to the immutable audit log. Enterprise customers can stream this to their SIEM (Splunk, Datadog, Elastic) via webhook or S3.
Agent Permissions Model
This section matters most if you're evaluating OnCallReady for production access. The short version: the agent does as little as possible, and you control what it's allowed to do.
Our Incident Response
How OnCallReady handles security incidents affecting the OnCallReady platform itself:
- Detection: Continuous monitoring of infrastructure, dependency vulnerability feeds, and anomaly detection on access patterns. Internal alerting runs 24/7.
- Customer notification SLA: Affected customers notified within 24 hours of confirmed security incident. Initial notice includes scope, known impact, and remediation timeline — not a placeholder.
- Severity classification: P0 (active breach/data exposure) triggers immediate customer notification and executive involvement. P1–P2 follow the 24h SLA. P3/P4 addressed in regular release cycles.
- Public incident history: Post-incident reports published at status.oncallready.com within 5 business days of resolution. We document root cause, timeline, and controls added — not just "we fixed it."
- Regulatory notification: GDPR Article 33 notifications to supervisory authorities (where required) within 72 hours of confirmed breach. Customers receive concurrent notification.
Sub-processors
These vendors may process customer data as part of delivering the OnCallReady service. We updated this table when sub-processors change; customers on Enterprise receive advance notice of additions.
| Vendor | Purpose | Data accessed | Region | Compliance |
|---|---|---|---|---|
| Render | Web application hosting | Application code, request logs, environment variables | US (Oregon) | SOC 2 Type II |
| Neon | PostgreSQL database | Incidents, runbooks, resolutions, user records | US / EU (configurable) | SOC 2 Type II |
| Postmark (ActiveCampaign) | Transactional email | Recipient email address, email content | US | SOC 2 Type II |
| Stripe | Payment processing | Billing info, payment method (Stripe-hosted, not stored by OnCallReady) | US | PCI DSS Level 1, SOC 2 |
| Cloudflare R2 | File storage | User-uploaded assets, report attachments | US | SOC 2 Type II, ISO 27001 |
| OpenAI (via Polsia proxy) | AI-assisted diagnostics (when enabled) | Alert payloads passed to models for triage assistance | US | SOC 2 Type II |
Vulnerability Disclosure
We operate a responsible disclosure program. If you find a security issue in OnCallReady, please tell us before anyone else.
- Contact: Email security@oncallready.com with a description, reproduction steps, and any relevant artifacts. PGP key available on request.
- Scope: oncallready.polsia.app and all subdomains, the OnCallReady API, authentication and authorization systems, data handling pipelines.
- Out of scope: Social engineering, physical attacks, denial-of-service, issues in third-party sub-processors that don't expose OnCallReady customer data.
- Response SLA: Acknowledgment within 24 hours. Triage within 3 business days. Fix timeline communicated within 7 business days.
- Coordinated disclosure: We ask for a 90-day disclosure window from initial report while we remediate. We'll move faster when possible.
- No bounty yet — honest note: We don't have a bug bounty program yet. We will say thank you publicly (if you want credit), acknowledge the contribution in our incident history, and treat your report with the seriousness it deserves. Bounties are on the roadmap for 2026.
Request security documentation
Need our security questionnaire response (CAIQ / SIG), pen test executive summary, or an MNDA before your procurement review? Fill this in and we'll respond within 1 business day.