Security

1. Infrastructure Security

1.1 Physical Security

Oqren's infrastructure runs on enterprise-grade data centers with 24/7 physical security, biometric access controls, and redundant power and cooling systems. Data centers are ISO 27001 and SOC 2 compliant.

1.2 Network Security

• All database instances are isolated in private VPCs with no public internet access by default
• Firewall rules restrict inbound connections to authorized IP ranges only
• DDoS protection is applied at the network edge
• Network traffic is continuously monitored for anomalous patterns

1.3 Database Isolation

Each customer's database instance runs in an isolated environment. Shared resources are strictly partitioned — one customer's workload cannot affect another's data or performance.

2. Data Encryption

All customer data is protected with strong encryption both in storage and in transit:

• At rest: All data volumes, backups, and snapshots are encrypted using AES-256 with keys managed by our key management service (KMS).
• In transit: All connections to Oqren APIs and database endpoints require TLS 1.2 or higher. TLS 1.3 is enforced where supported.
• Key management: Encryption keys are rotated regularly. Customers on enterprise plans can bring their own encryption keys (BYOK).

3. Access Control

3.1 Customer Access Controls

• Role-based access control (RBAC) for all dashboard users
• Fine-grained database-level permissions (read, write, admin)
• SSH key authentication for direct database access
• IP allowlisting to restrict connection origins

3.2 Internal Access Controls

• Oqren employees do not have standing access to customer data
• Just-in-time (JIT) access is granted only when required for support, with audit logging
• All internal access requires multi-factor authentication
• Access reviews are conducted quarterly

4. Authentication

We recommend the following security practices for your Oqren account:

• Enable two-factor authentication (2FA) — available via TOTP authenticator apps
• Use strong, unique passwords for your Oqren account
• Rotate API keys and database credentials regularly
• Revoke credentials for team members who no longer need access

Passwords are hashed using bcrypt before storage and are never transmitted in plaintext.

5. Backups and Recovery

• Automated daily backups for all database instances
• Point-in-time recovery (PITR) available up to 7 days on standard plans, 30 days on enterprise
• Backups are encrypted and stored in geographically separate locations
• Backup integrity is verified automatically on each snapshot
• Recovery time objective (RTO): under 15 minutes for most instances

6. Monitoring and Incident Response

6.1 Monitoring

Our systems are monitored 24/7 with automated alerting for:

• Unauthorized access attempts and authentication anomalies
• Unusual data access or egress patterns
• Infrastructure health and performance degradation
• Configuration changes to security-sensitive resources

6.2 Incident Response

In the event of a confirmed security incident affecting customer data, we will:

• Contain and investigate the incident immediately
• Notify affected customers within 72 hours of discovery
• Provide a post-incident report detailing the cause, impact, and remediation steps

7. Vulnerability Disclosure

We take all security vulnerability reports seriously. If you believe you have discovered a security issue in Oqren's platform, please report it responsibly:

We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate. We do not currently operate a bug bounty program, but we deeply appreciate responsible disclosures.

8. Compliance

Oqren's infrastructure and practices are designed to support customers operating under various regulatory frameworks:

• GDPR: Data processing agreements (DPAs) available upon request for EU customers
• SOC 2 Type II: Audit in progress — report available to enterprise customers under NDA
• CCPA: Consumer data rights supported for California residents

For compliance documentation or data processing agreements, contact legal@oqren.com.

9. Contact

For security-related questions or to request compliance documentation: