Privacy and security

Security and Compliance

Security and Compliance is mission-critical to the success of OakNorth, simply because it is top-priority for our customers who are some of the world’s leading banking and financial services organizations.

We undergo independent verification of our security and compliance controls to help our customers meet their regulatory and policy objectives. OakNorth’s products and internal control environment is audited and certified against the following standards:

• ISO 27001 certification: OakNorth operates an Information Security Management System (ISMS) in accordance with the ISO 27001:2013 international standard that is independently audited and certified by BSI (British Standards Institution).
  
  Evidence of our ISO 27001 certification can be found online (Cert ID: IS 695402).
  
  
• System and Organization Controls (SOC) reports: OakNorth SOC reports are independent third-party examination reports that demonstrate how OakNorth achieves key compliance controls and objectives. The purpose of these reports is to help customers and their stakeholders validate OakNorth’s alignment with a wide range of security and compliance requirements.
  OakNorth has completed a SOC 2 Type 2 audit covering the Trust Services Principles of Security, Availability and Confidentiality with no exceptions in related controls.
  
  OakNorth has also completed a SOC 1 and ISAE 3402 Type II review. The report provides independent auditor assurance on processes and controls OakNorth performs relevant to our customers’ financial reporting and can be leveraged by clients as an integral part of their Sarbanes-Oxley efforts.
  
  Our most recent SOC 1, SOC 2 and ISAE 3402 Type 2 reports are available upon request through your account or customer success manager.
  
  
• CSA STAR Level 1: OakNorth participates in the voluntary Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Self-Assessment to document our compliance with CSA-published best practices. Our completed CSA Consensus Assessments Initiative Questionnaire (CAIQ) can be accessed online through the public CSA STAR registry entry at https://cloudsecurityalliance.org/star/registry/oaknorth.
  
  

Data Center Security and Compliance

OakNorth systems and application are hosted on infrastructure provided by Amazon Web Services (AWS). Access to these data centers is strictly controlled and monitored by 24x7 on-site security staff, biometric scanning, and video surveillance. Information about security- and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and SOC 1, 2 and 3 reports, is available from the AWS Compliance website.

Data Sovereignty and Isolation

OakNorth maintains single-tenant environments where each customer’s application and data are hosted in a segregated Virtual Private Cloud (VPC) within a dedicated AWS account. The environment is configured to ensure logical isolation meaning that resources are neither shared with other AWS customers nor are they shared with other OakNorth customers.

This segregation allows OakNorth customers to choose from one of several AWS Regions available globally for hosting their instance of the Credit Intelligence suite based on business, legal and regulatory needs. Within an AWS Region, OakNorth services are spread across 3 Availability Zones. An Availability Zone consists of one or more discrete data centers having redundant power and networking. Availability Zones are physically distant from each other by many kilometers.

Application and Data Security

All access to the OakNorth Credit Intelligence Suite is securely authenticated and allows customers to federate access with their internal Identity Provider (SSO) making it easy to manage user permissions, as well as meeting security and compliance requirements. Federating with SSO gives customers control of who is authenticated (signed in) and authorized (has permissions) to access resources.

All Client data remains encrypted in transit and at rest using per-customer encryption keys. Where enabled, network access to the application can further be secured using an IP whitelist such that users can access the Credit Intelligence Suite only from authorized OakNorth and Client network environments.

Data Destruction

During the contract term, customers may export a copy of any data that is made available for export via the Credit Intelligence Suite. At the end of the engagement, customers can request return of their data for their record retention purposes. Unless otherwise notified and subject to applicable legal requirements, OakNorth will securely delete all copies of customer data that we process within 30 days after termination of services.

Vulnerability Assessments and Penetration Testing

OakNorth tests for potential vulnerabilities on a recurring basis by internal personnel and specialist third parties. We also run vulnerability scans on software packages, infrastructure, and applications to find missing patches and check for common misconfigurations.

Customer Audits and Due-Diligence

We understand that our customers need to fulfill their own audit and regulatory requirements. To help them with this risk management process, we can provide them with deeper insights into some of our key security and compliance procedures. Please approach your account or customer success manager for any help in performing such bespoke assessments.