โQ: Is ONE deployed in the public cloud?
A: Yes, the platform is hosted on AWS
Q: Can files be hosted on clients' own cloud storage?
A: Clients tend to have a video server platform already in place, such as Brightcove. We can link directly into an existing video library, but equally we can offer integrated video hosting as part of the solution. All other assets, such as images and PDFs, are stored within the system (on AWS) as part of the subscription fee. Clients can host files on their own cloud storage and we simply reference them in the database. We have worked on both cases
Q: Is ONE optimised for a specific browser/platform?
A: Our system is both mobile and desktop friendly, optimised for the latest 2 versions of all popular browsers across Apple and Windows. See Browser Support for more details
Q: How are per-client customisations and releases managed?
A: Each client has their own Github Repository which is initially cloned from the ONE master repository.
From there any customisations and designs are implemented.
When new features are developed, they are developed on the master repository and go through a testing life cycle.
Once ready for release the feature is merged into a new branch on each client repository, where and customisations or designs are implemented.
The feature then goes to a client staging site for testing and final client approval before being merged in and deployed to the client production site.
Q: What is ONE's release strategy and timelines for bug fixes, minor features, major features.
A: We make a development shipment every week to staging in order to test. Once approved it is then shipped straight to production. However if a critical bug is found in the system then we will ship any changes immediately.
We have a planned roadmap for ongoing development of the application so development on the platform will be continual - thisisone.tv/roadmap
Q: What is ONE's standard SLA on platform uptime?
A: Our services are delivered on Amazon Web Service and both Rawnet and AWS use commercially reasonable efforts to make Amazon EC2 and our platform on a Monthly Uptime Percentage of at least 99.99%
Q: Is ONE offered on a SaaS model?
A: ONE is a SaaS model, but also heavily customisable per client. Creating the best of both worlds in terms of flexibility of bespoke development along with the cost savings of SaaS.
Security and cryptography
Q: What security standards are adhered to?
A: We have security policies in accordance with our Information Security Policy, and we ensure yearly periodic updates on the information security program and risk assessment. All key staff are GDPR Certified. Our Employee Policy includes procedures on Asset Clarification, Asset handling, Digital Recording Devices, Password Controls, Whistleblowing and System change management. Content is always transmitted from our facility to AWS in a secure, encrypted form. We use HTTPS and enforce use of a strong cipher suite (SSLv3). We patch our firewalls, routers and switches regularly.
Q: Are independent reviews conducted of security posture and policy compliance within the business and with 3rd parties to validate its suitability to meet business needs and risk appetite, the results of which are documented to management for appropriate action?
A: Both the website and app are fully pentested with a crest approved supplier
Q: What are the security specifics for videos?
A: Video security depends upon the streaming provider, however we recommend HLSe for use on the web and MP4 for the iOS app. HLSe on the web means videos are encrypted and therefore extremely difficult to steal. The videos downloaded to the iOS app are encoded within the app so it is impossible to play them outside of the app.
Q: What measures are taken to ensure data is not 'leaked' between clients?
A: We have implemented a robust Permissions model that is supported by unit tests to ensure that data is not leaked between clients. The continuous integration tests are ran automatically whenever code updates are made to ensure that nothing accidentally breaks the permissions architecture.
Q: Details of client data protection policy?
A: We have clearly defined processes for responsibilities for the protection of individual assets and for carrying out specific security processes. We restrict access to client assets to only personnel responsible for tracking and managing assets. Company systems are subject to a risk assessment and cryptographic controls determined based on the requirements for confidentiality, integrity and availability. Copies of private/decryption keys can be retained within company's secure storage system, however, client solution can be designed to use hardware security modules or other such means which prevent staff from accessing private/decryption keys.
Q: What approved encryption mechanisms are in place and operated for the transmission of Confidential data transmitted via email or other forms of electronic messaging?
A: Internal Comms are Slack and Gmail - Slack uses Data encryption in transit and at rest
SAML-based SSO
SCIM provisioning
Granular app management
Custom message retention
Support for Data Loss Prevention (DLP), Enterprise Mobility Management (EMM), and e-Discovery
(Slack Enterprise Grid only)ย
Q: Have back-up and restoration procedures been documented for all applicable technologies?
A: AWS gives us managed backups, which we can instruct to occur as often as we like - allowing us to spin up the server at the snapshot of the backup - would only happen in a disaster recovery situation. From a development point of view, we securely store code on Github and commit to repo's several times a day as per our code procedures - so code is regularly and continuously backed up. Worst case a developer might lose 30 mins of code if their machine broke.
RDS (Relational Database Service)
------
We have pre configured backup retention period of 7 days which run between the hours of 02:00-04:00 GMT
We use AWS standard restore procedure where we can select which backup to roll back to, we can create a new RDS cluster and restore that backup to that to simulate tests from but this is not part of our general restore procedure
S3 (Asset Storage)
----
We have versioning enabled on all files and all files are synced to a secondary bucket located in another region. We can roll back files at a paid request to a specific version
Access control
Q: What account creation processes include the requirements for the generation of a random one time password, which the owner of the account shall be forced to change on first use?
A: The platform has a roles management section. New users are created with a random inaccessible password which they must change on first use.
Q: Do the account creation processes require that the identity of the user is verified before providing them with their initial password or resetting an existing password?
A: Manual verification for external users. External registration goes to an internal manager to verify before access is granted. Only administrators can create internal users. User must set a password via an email on first use, which verifies the email address
Q: What are the policy settings for passwords?
โ
A: Minimum 8 characters
โ
Q: Are policy settings in place for all systems and applications to ensure administrator or other highly privileged user account passwords be at least 10 characters in length, use complexity, do not relate to the username or other well-known attributes of the user and expire after 30 days?
All systems are authed by Google / 2 Factor (Slack, Email etc). 1Pass requires a strong password
APIs and Extensions
Q: Are APIs available?
A: Yes
Q: Do you have REST API services?
A: Yes we have a RESTful JSON API
Q: Any other Third Party/Partnerships you would like to share which could add value?
A: We have integrated into many different 3rd party services. Integrations we have carried out include Salesforce, EasyTrack, Paris (rights management) and Rightsline. We have a full team of in-house developers so if it has an API or other similar service then we can integrate into it