OneStream’s Corporate Business Continuity Plan (or “BCP”) is maintained, tested, and reviewed annually or as needed based on business changes to support OneStream’s corporate environment. An event in OneStream’s corporate environment could occur with little or no impact on the ability to provide full-service availability to our customers.
OneStream’s Service Disaster Recovery (or “DR”) plan is specific to the Service Environment, including customer Cloud Instances, and is maintained, tested, and reviewed annually or as needed based on business changes to support OneStream’s Service for our customers.
Corporate Business Continuity
OneStream’s Business Continuity process covers its functional offices and is a distinct operating procedure from its management of the Service. The BCP has been developed as a component of our Governance Risk and Compliance (or “GRC”) Program including Business Impact Assessments (or “BIA”) to understand the impact of the loss of any given systems or locations.
Disaster Recovery
Data Center High Availability and Redundancy
OneStream’s Service is provided to each customer out of a primary data center region, with automatic replication and backup to a secondary data center region as a failover. The primary and secondary data center regions will be automatically selected from OneStream’s default regions as noted in Data Center Locations, unless a customer has specific data residency requirements and specifically requests an alternate data center region from our list of Alternate Data Center Locations. These data centers have several layers of high availability built into them. While the probability of a failure is low, redundancies and backups are employed in strategic ways to ensure that, in the event of a failure, services are restored at a secondary data center in a timely manner. In the unlikely event that an entire data center is rendered off-line unexpectedly, Cloud Instances in the impacted data center will failover to the secondary data center region. Note that this overview and the following information regarding DR is applicable only to Cloud Instances designated as “Production”.
Region Pair Replication
The OneStream Service includes the replication of customer data to a secondary data center region. Each data center region is paired with another data center region within the same geography (such as the United States, Europe, or Asia). This approach allows for the replication of resources across a geography reducing the likelihood of natural disasters, civil unrest, power outages, or physical network outages. Additional advantages of region pairs include:
-
In the event of a wider data center outage, one region is prioritized out of every pair to help reduce the time to restore for applications
-
Planned data center updates are rolled out to paired regions one at a time to minimize downtime and risk of application outage
Recovery Objectives
In the event of a catastrophic data center failure, OneStream has a defined a Recovery Point Objective of one (1) hour and a Recovery Time Objective of twenty-four (24) hours.
Testing and Compliance
OneStream formally tests our disaster recovery process as either a live or tabletop exercise annually as a component of our Governance Risk and Compliance Program. Additional non-formal testing also occurs as business conditions dictate.
Information Security Governance and Risk Management
Governance Risk and Compliance Program (GRC)
OneStream maintains a comprehensive risk management program, inclusive of the following governance, risk, and compliance elements:
-
Third- and Fourth-Party Vendor Risk Management
-
Risk and Controls Framework Management
-
Business and Application Risk Assessments
-
Business Continuity, Disaster Recovery Program Management
-
Audit, Compliance Program Management
-
Capability Maturity Model Assessments and Continuous Improvements
Prospects and customers may request the "GRC Program - Customer Due Diligence Package" for an overview of our GRC Program Framework inclusive of cadence and artifact inventory.
Security Frameworks
The OneStream Service is aligned with NIST 800-53 and ISO 27001 operational and security controls. These frameworks include a comprehensive set of security controls that are used as a baseline for the operational and security controls utilized to manage and secure the OneStream Service.
Security Policy and Procedures
OneStream’s Service Policies and Plans are controlled subject matter and are not distributed. Prospects and customers may request the "GRC Program - Customer Due Diligence Package" for an overview of our policy and controls framework.
Service Organizational Controls – SOC Reporting
As a component of the OneStream GRC Program, OneStream submits to twice annual SOC 1 and SOC 2 audit as well as Bridge Letters to cover any additional customer audit cadence. Prospects may request SOC reports for their review as a component of their due diligence process. Existing customers may download SOC reports from OneStream MarketPlace at any time as needed to support their internal audit program.
Security Vulnerability Assessment
OneStream conducts a security assessment of our Service at least annually. This testing is conducted against a standard OneStream Cloud Instance by a third-party service provider. OneStream Software engages with an outside provider to perform a security assessment to enumerate possible attack vectors, evaluate existing security controls, and provide recommendations for improvement. Providers assess the security posture and perform an authenticated black-box review of OneStream’s Service. This “web application” penetration test focuses on the Open Web Application Security Project’s (OWASP’s) Top 10 Flaws of Insecure Software, a broad consensus of the most critical web application security flaws aimed to help fight root cause, as well as the SANS Top 25 vulnerability list as current to the project engagement.
