One Click System's Security and Compliance Overview

Our Company and Products

Developed for agencies by an agency, One Click System's mission is to empower marketing professionals and agencies to exceed their benchmarks for success. We champion the cause of enhancing automation, refining communication, and boosting scalability in ways that are intuitive and user-friendly, always staying ahead with updates that reflect our commitment. Since launching in 2018, One Click System has seen exponential growth, significantly influencing both the tech community and the SaaS industry at large. At One Click System, we gauge our success by the achievements of our customers, dedicating ourselves to optimising our offerings to suit their evolving needs. Our AI-enhanced all-in-one sales, marketing, and customer relationship management (CRM) platform delivers indispensable features to agencies and marketers. This comprehensive software solution opens up boundless possibilities for our customers to set and reach ambitious sales targets, supported every step of the way by our expert team. We also offer our customers the opportunity to rebrand our platform, providing everything agencies and marketers need to scale their operations to heights previously only imagined.

One Click System Security and Risk Focus

One Click System places utmost importance on the security of our customers' data. We have invested in robust controls to protect and serve our customers effectively. This includes the establishment of comprehensive corporate, product, and infrastructure security programs, overseen by our Legal Team in collaboration with various departments.

Our Security and Compliance Objectives

Our security framework, crafted around SaaS industry best practices, aims to:

  • Customer Trust and Protection: Deliver exceptional products and services while safeguarding the privacy and confidentiality of data.

  • Availability and Continuity of Service: Guarantee service availability and minimise service continuity risks.

  • Information and Service Integrity: Ensure the accuracy and integrity of customer information.

  • Compliance with Standards: Meet or surpass industry-standard best practices.

One Click System Security Controls

To safeguard entrusted data, One Click System employs a comprehensive array of administrative, technical, and physical security measures. Below are highlights from our frequently discussed security controls.

Infrastructure Security

Cloud Hosting Provider

One Click System entrusts the hosting of its product infrastructure to leading cloud infrastructure providers, including Google Cloud Platform Services and Amazon Web Services, located within the United States. We rely on the audited security programs of Google and AWS to support the effectiveness of their security controls. Both providers offer high uptime percentages and have robust compliance documentation available publicly, illustrating their commitment to security and reliability.

Network and Perimeter

Our product infrastructure utilises multiple layers of security to scrutinise all connections, incorporating web application firewalls, logical firewalls, and security groups. Network access is tightly controlled, with firewalls set to deny any unauthorised connections. Regular reviews and updates to our network configurations ensure that only essential connections are maintained.

Configuration Management

One Click System's infrastructure thrives on automation, allowing us to scale seamlessly alongside our customers. Our configuration management processes are integral to our daily operations, ensuring servers are provisioned with secure, standardised settings. Any deviation from these baselines is quickly detected and corrected, maintaining our commitment to security and compliance.

By focusing on these areas, One Click System demonstrates its unwavering commitment to security, compliance, and customer trust, aligning with Australian policies and standards to provide a secure and reliable platform for our customers in Victoria, Melbourne, and beyond.

Logging

Actions and events that occur within the One Click System application are consistently and comprehensively logged. These logs are indexed and stored in a central logging solution hosted in One Click System’s cloud environment. Security-relevant logs are also retained, indexed, and stored to facilitate investigation and response activities. The retention period for logs depends on the nature of the data logged. Write access to the storage service where logs are stored is tightly controlled and limited to a small subset of engineers who require access for maintenance and security purposes. This approach ensures that all activities within the One Click System platform are transparently recorded, providing a secure and reliable audit trail that supports both operational integrity and compliance with Australian data protection standards.

Alerting and Monitoring

One Click System invests in automated monitoring, alerting, and response capabilities to continuously address potential issues. The One Click System product infrastructure is equipped with tools designed to alert engineers and administrators when anomalies occur. Specifically, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses or alerts to the appropriate teams for response, investigation, and correction. Many automated triggers are also designed to immediately respond to anomalous situations. For instance, traffic throttling, process termination, and similar functions are activated at predefined thresholds to ensure the system remains secure and operational. This proactive approach to infrastructure management underscores One Click System's commitment to maintaining a high level of service availability and data security, aligning with the stringent requirements of Australian data protection policies.

Application Security

Web Application Defences

All customer content hosted on the One Click System platform is safeguarded by both firewall and application security measures. The platform's monitoring tools actively scrutinise the application layer, capable of alerting on malicious activities based on the type of behaviour and session rate. The criteria for detecting and thwarting malicious traffic adhere to the best practice guidelines established by the Open Web Application Security Project (OWASP), particularly the OWASP Top 10 and similar standards. Additionally, protections against Distributed Denial of Service (DDoS) attacks are integrated within the system, contributing to the continuous availability of customer websites and other components of the One Click System products. This comprehensive security framework ensures that customer data remains protected, aligning with industry-best practices and contributing to a secure online environment for all users of the One Click System platform.

Development and Release Management


One Click System optimises our products using a modern continuous delivery approach to software development, ensuring regular deployment of new code. The process involves thorough code reviews, testing, and merge approval before deployment. Static code analysis is conducted regularly against our code repositories to prevent known misconfigurations from entering the code base. Approval for code changes is managed by designated repository owners, and once approved, the code is automatically moved to One Click System's continuous integration environment for compilation, packaging, and unit testing.

Dynamic testing for security vulnerabilities is carried out periodically against our applications. Newly developed code is first deployed to a dedicated and separate QA environment for the final stage of testing before being promoted to the production environment. Network-level and project-level segmentation is enforced to prevent unauthorised access between QA and production environments, ensuring the integrity and security of our software delivery pipeline.

All code deployments are automated, allowing for quick reversion in case of failures. The deploying team is responsible for monitoring the health of their applications, and rollback processes are immediately initiated if any failure occurs. We employ extensive software gating and traffic management strategies to control feature releases based on customer preferences, including stages like private beta, public beta, and full launch.

One Click System features seamless updates, and as a SaaS application, our clients experience no downtime associated with releases. Major feature changes and updates are communicated to our users through in-app messages and/or product update announcements, ensuring that our customers are always informed and able to take full advantage of the latest improvements and functionalities offered by our platform.

Vulnerability Management

The One Click System team employs a multi-layered approach to vulnerability management, leveraging various industry-recognized tools and threat feeds for extensive coverage across our technology stack. Regularly scheduled vulnerability scans, utilising adaptive scanning inclusion lists and the latest vulnerability detection signatures, help ensure assets are consistently monitored for potential risks. Additionally, annual penetration tests are conducted on our applications and infrastructure to uncover any vulnerabilities posing security threats. Findings from these tests are carefully assessed, with mitigations prioritised to maintain the highest levels of security and integrity for our system.

Customer Data Protection

Data Classification

Per One Click System's Terms of Service, our customers are responsible for ensuring they only capture information that is appropriate and necessary to support their marketing, sales, services, content management, and operations processes. One Click System products should not be used to collect or store sensitive information, such as credit or debit card numbers, financial account information, Social Security numbers, passport numbers, or any financial or health information, except as explicitly permitted. This policy is in place to protect both our customers and their clients, ensuring the responsible use of our platform in compliance with data protection laws and best practices.

Tenant Separation

One Click System offers a multi-tenant SaaS solution where customer data is logically separated through the use of unique IDs, which associate data and objects with specific customers. The design architecture incorporates authorization rules that are continuously validated to ensure secure access and interaction with the platform. Furthermore, we maintain thorough logs of application authentication and any associated changes, application availability, as well as logs of user access and any modifications made. This comprehensive approach to data management and security ensures that each customer's data remains isolated and protected, upholding the integrity and confidentiality of the information stored on our platform.

Encryption

All data is encrypted in transit with TLS version 1.2, or 1.3- and 2,048-bit keys or better. Transport layer security (TLS) is also a default for customers who host their websites on the One Click System platform. One Click System leverages several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices and are encrypted at rest.

Key Management

Encryption keys for both in transit and at rest encryption are securely managed by the One Click System platform. TLS private keys for in transit encryption are managed through our content delivery partner. Volume and field level encryption keys for at rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated at varying frequencies, depending on the sensitivity of the data they govern. In general, TLS certificates are renewed annually. One Click System is unable to use customer-supplied encryption keys at this time.

Data Backup and Disaster Recovery

System Reliability and Recovery

One Click System is committed to minimising system downtime. All One Click System product services are built with redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, ensuring that all web, application, and database components are deployed with a point in time recovery. This approach enhances the resilience and reliability of our services, ensuring continuous operation and data availability for our customers.

Backup Strategy

System Backups

Systems are backed up on a regular basis with established schedules and frequencies. Seven days’ worth of backups are kept for any database in a way that ensures restoration can occur easily. Backups are monitored for successful execution, and alerts are generated in the event of any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily to the local region. Monitoring and alerting is in place for replication failures and triaged accordingly.

Physical Backup Storage

Because we leverage public cloud services for hosting, backup, and recovery, One Click System does not implement physical infrastructure or physical storage media within its products. One Click System does not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.

Backup Protections

By default, all backups are protected through access control restrictions and write once read many (WORM) protections on One Click System product infrastructure networks, and access control lists on the file systems storing the backup files.

Customer Data Backup Restoration

One Click System customers don't have access to the product infrastructure in a way that would allow a customer-driven failover event. Disaster recovery and resiliency operations are managed by One Click System product engineering teams. In some cases, customers can use the recycle bin to directly recover and restore contacts, opportunities, custom fields, custom values, tags, notes, and tasks up to 30 days after they were deleted. Changes to web pages, blog posts, or emails can be restored to previous versions of content using version history. For customers who wish to additionally back up their data, the One Click System platform provides many ways of ensuring that you have what you need. Many of the features within your One Click System portal contain export options, and the One Click System library of public APIs can be used to synchronise your data with other systems.

Identity and Access Control

Product User Management

Systems are backed up on a regular basis with established schedules and frequencies. Seven days’ worth of backups are kept for any database in a way that ensures restoration can occur easily. Backups are monitored for successful execution, and alerts are generated in the event of any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily to the local region. Monitoring and alerting is in place for replication failures and triaged accordingly.

Product Login Protections

The One Click System products allow users to log in to their One Click System accounts using the native One Click System login. The native login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower- and upper-case letters, special characters, and numbers. People who use One Click System’s native login cannot change the default password policy. Customers who use One Click System’s built-in login are protected by two-factor authentication for their One Click System accounts. Portal administrators may require all users to have two-factor authentication enabled.

One Click System Employee Access to Customer Data

Access to Production Infrastructure

User access to internal data stores and production infrastructure is strictly controlled. One Click System employees are granted access using a role-based access control (RBAC) model. Day-to-day access is minimised to members of the Engineering team, and persistent administrative access is restricted. Additionally, direct network connections to product infrastructure devices over SSH or similar protocols are prohibited, and engineers are required to authenticate first through a bastion host or "jump box" or have an assigned IAM role to the resource before accessing server environments.

Access to Customer Portals

By default, Customer Support, Services, and other customer engagement staff can obtain limited access to parts of your One Click System account to assist you with using One Click System. The One Click System application also uses a Just-In-Time Access (JITA) model to grant employees access to a customer’s portal for a limited duration (Portal JITA). Each Portal JITA request is logged. Access is tied to a specific customer’s portal for a maximum 24-hour period. One Click System also utilises risk-based monitoring to detect unusual Portal JITA activity. When accessing a portal using Portal JITA, One Click System employees are unable to perform high-risk actions such as:

  • Changing domain or SSO settings

  • Exporting users/contacts

  • Viewing/creating/deleting/rotating private app keys

  • Importing data to the CRM

  • Deleting contacts, companies, deals, and tickets


User logins, One Click System employee access, security activity, and content activity are logged.

Corporate Authentication and Authorization

Access to the One Click System company network requires MFA. Password policies follow industry best practices for required length, complexity, and rotation frequency. Password vaults are in place to manage certain administrative account passwords, and access to the vault is managed through Role-Based Access Control or through the JITA process. We have built an extensive support system to streamline and automate our security management and compliance activities.

In addition to many other functions, we ensure that permission grants are appropriate, employee events are managed, access revocations are timely, change logs are effectively collected, and compliance evidence is preserved. Employee access and permissions to key internal systems are manually reviewed semi-annually to help ensure access granted is necessary for their job function.

Organisational and Corporate Security

Background Checks and Onboarding

One Click System employees undergo a third-party background check prior to formal employment offers. Reference verification is performed at the hiring manager's discretion. Upon hire, all employees must read and acknowledge One Click System’s Employee Handbook and Code of Conduct, which define the employee's security responsibilities in protecting company assets and data.

Policy Management

To ensure all our employees are aligned in protecting data, One Click System documents and maintains written policies and procedures. Specifically, One Click System maintains a core Written Information Security Policy, which covers topics such as data handling requirements, privacy considerations, and disciplinary actions for policy violations. Policies are reviewed and approved at least annually.

Security Awareness Training

One Click System employees are required to complete CyberSafety training upon starting their employment, with training available annually thereafter. The CyberSafety training includes phishing awareness.

Vendor Management

One Click System may leverage third-party service providers to support the development of our product as well as internal operations. We ensure that our vendors have appropriate security and privacy controls in place as part of our contractual relationship with them. We also maintain a list of our sub-processors (which may change from time to time) within our Data Processing Agreement.

Endpoint Protection

Company-issued laptops are centrally managed and configured to maintain full disk encryption. We implement a Mobile Device Management solution that provides a centralised platform for IT administrators to manage and monitor mobile devices in an organisation. This includes configuring device settings, enforcing security policies, deploying apps, and ensuring compliance with corporate policies.

Organisational and Corporate Security

Background Checks and Onboarding

One Click System employees undergo a third-party background check prior to formal employment offers. Reference verification is performed at the hiring manager's discretion. Upon hire, all employees must read and acknowledge One Click System’s Employee Handbook and Code of Conduct, which define the employee's security responsibilities in protecting company assets and data.

Privacy

As described in our Privacy Policy, we do not sell your personal data to third parties. The protections described in this document and other protections that we have implemented are designed to ensure that your data stays private and unaltered.

Data Retention and Data Deletion

Customer data is retained for as long as you remain an active customer. Current and former customers can make written requests to have certain data deleted, and One Click System will fulfil those requests as required by privacy rules and regulations. One Click System retains certain data like logs and related metadata to address security, compliance, or statutory needs. One Click System does not currently provide customers with the ability to define custom data retention policies.

Privacy Program Management

One Click System’s Legal Team collaborates with our engineering and product development teams to implement an effective privacy program. Information about our commitment to the privacy of your data is described in greater detail in our Privacy Policy and Data Processing Agreement.

Breach Response

One Click System will notify customers as required by law if it becomes aware of a data breach that impacts your personal data.

GDPR

One Click System aims to provide features that enable our customers to easily achieve and maintain their GDPR compliance requirements. Please refer to our GDPR page for more information. While One Click System seeks to enable your GDPR compliance efforts, use of the One Click System product alone does not make you GDPR compliant.

Document Scope and Use

This document is intended to be a resource for our customers. It is not intended to create a binding or contractual obligation between One Click System and any parties, or to amend, alter, or revise any existing agreements between the parties. One Click System is continuously improving the protections that we have implemented, so our procedures may be subject to change.

Contact Us

Questions about this document? We want to hear from you! You can reach us at support@oneclicksystem.ai.