Security
Application security
The Ottomatic engineering team strives to write secure code that aligns with industry best practice. We do peer reviews to ensure code quality and perform static code analysis to detect vulnerabilities that may exist in our dependencies.
Authentication
Ottomatic user accounts have several options for authentication including; passwordless which is accessed via email, SAML or single sign-on with Google oAuth, and username/password access with strict password requirements.
Secure Access
Ottomatic requires HTTPS for access to our application, payment and invoice portals, support ticket portal, as well as APIs.
API
Ottomatic utilizes rotating key or OAUTH2 protocol to enforce secure access to our APIs.
Best practice security
SOC 2
Ottomatic is currently in the process of completing SOC 2 TYPE II certification. As of the writing of this document we have completed more than half the requirements of SOC 2. This certification provides assurance that we are operating at a level that is in compliance or better than the standards outlined by the American Institute of Certified Public Accountants (AICPA).
Payments
We process all payments through PCI compliant payment gateway partners such as Stripe. Ottomatic does not store credit card details or card holder information.
Infrastructure
Ottomatic operates servers and infrastructure hosted on multiple cloud platforms including hyperscalers and smaller hyperscalers who are members of the Cloud 2.0 initiative.
Penetration Testing
We partner with a third party to scan all of our servers and infrastructure assets to search for common vulnerabilities as well as potential zero-day vulnerabilities. Remediation of critical findings is done in a timely manner.
Incident management
Ottomatic operates several systems to monitor the health of our service and detect incidents. If a security incident occurs, Ottomatic will notify all affected customers with undue delay.
Responsible disclosure
Please report any vulnerabilities to support@ottomatic.cloud. We will immediately assign a ticket id number for each report and a member of our engineering team will reply back within 1 business day.