By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Compliance & Privacy

SOC 2 Type II

We work with Insight Assurance, an independent cybersecurity consulting firm to validate our security controls and security posture. As part of our annual audits, we also conduct rigorous penetration tests with independent security consulting firms to ensure the highest levels of data security.
In addition to our SOC 2 report, we maintain a SOC 3 report for general use and distribution. Click here to download.


For organizations that need to upload PII data, OneSchema is fully HIPAA compliant. Our standard Business Associate Agreement (BAA) meets the requirements of HIPAA, making it easy for covered entities to bring OneSchema on board as a business associate.


Our privacy program is committed to helping our customers around the globe, and we are committed to following data protection laws around the world. Our Data Processing Agreement (DPA) contains Standard Contractual Clauses (SCCs) to comply with both the European Union's GDPR and California's CCPA.


Network Security

OneSchema's production services are hosted on leading cloud infrastructure providers like Amazon AWS. We use Amazon's Virtual Private Cloud to protect our network perimeter in addition to web application firewalls and regular vulnerability scanning.

Data Protection

Our team implements cryptographic controls when processing and storing data and perform encryption in accordance with industry standards. All OneSchema web traffic sent over the public internet is encrypted in transit using the TLS v1.2 protocol, and encryption at rest is performed with AES-256.

Access Control

OneSchema maintains audit logs of all activity, errors, and warnings on production systems and uses single sign-on and 2-factor authentication to enforce application access control. Levels of access are granted on a principle of least privilege and use Role-Based Access Control.