Built for the security teams that say no.
OneLattice handles regulated, sensitive financial-crime data. Security isn't a section on the website — it's how we've built every layer of the platform. Here's the detail your CISO will ask for.
Certifications and attestations
Reports and questionnaire responses are available via the trust portal on request.
How we protect your data
Encryption
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys (BYOK) available on enterprise plans for full control of your encryption material.
Access control
SSO via SAML, SCIM provisioning, MFA enforced, role-based permissions with least-privilege defaults, and just-in-time admin access for production systems.
Data residency
Choose where your data lives — US, EU, or India. Regional isolation with no cross-region replication for regulated workloads.
Privacy and data handling
We process customer data only for the purposes you authorize. OneLattice signs a Data Processing Agreement with every customer, maintains a current sub-processor list, and supports data deletion and portability on request.
- GDPR and CCPA compliant by default; regional DPAs available.
- Sub-processor list is published and updated 30 days before any change.
- Data minimization — we collect only what's necessary for decisioning.
- Customer data is never used to train shared models.
Operational security
Vulnerability management
Continuous dependency scanning, automated patching for criticals, and triage SLAs measured against CVSS severity.
Penetration testing
Third-party penetration tests annually and on every major release. Latest summary report available via the trust portal.
Secure development
Mandatory peer code review, automated security scanning in CI, and threat modeling for every new service before it ships.
Reliability and incident response
Reliability
99.9% uptime SLA on production tiers. Multi-region disaster recovery with documented RTO and RPO targets. Live status page with incident history.
Incident response
24/7 on-call rotation. Customers notified within 24 hours of confirmed security incidents involving their data. Vulnerability reports go through our contact form.
Need our SOC 2 report or security questionnaire?
Request access to the trust portal. We respond within one business day.