Security & compliance

A clear SaaS foundation for IT, security and procurement teams

OneChain documents its security posture, controls, limits and the options that must be framed contractually for enterprise rollouts.

Main controls

The topics expected in an enterprise security questionnaire

Each point below reflects the current posture documented in the OneChain security reference.

Governance

Documented ISMS aligned with market standards

OneChain maintains a documented ISMS, a security assurance plan and a risk assessment. ISO 27001 or SOC 2 certification has not been obtained yet.

  • Weekly security review
  • Certification roadmap planned
  • Stoik cyber insurance

Access

MFA, RBAC and least privilege

Critical services use MFA. The application enforces roles and access controls by organization and user scope.

  • Auth0 and AWS IAM
  • Application roles
  • 15 min session timeout

Data

Encryption and EU hosting for the SaaS core

Core operational data is hosted on AWS eu-west-1. Encryption is enabled in transit and at rest on managed services.

  • TLS 1.2+
  • AWS KMS AES-256
  • Aurora PostgreSQL and S3

Resilience

Backups, restore testing and recovery targets

The recovery plan covers application, database and documents with automated backups and staging restore tests.

  • App RTO 10 min
  • App RPO 15 min
  • Weekly restore tests

Vulnerabilities

Automated scanning and prioritized remediation

Dependencies, containers, secrets, cloud posture and SBOM are monitored by automated tools with remediation SLA by severity.

  • Snyk, GitGuardian, Trivy
  • ScoutSuite and Datadog SBOM
  • Critical 24-48h

Traceability

Internal logs and contractual integrations

Datadog EU, CloudTrail, CloudWatch and GuardDuty cover internal observability. Customer SIEM export is not offered by default.

  • Structured internal logs
  • AWS audit trail
  • SIEM export under specific agreement
Framing

Limits are explicit during the buying cycle

Enterprise security should not rely on vague promises. OneChain states what is available, what is on the roadmap and what requires a specific contract.

Certifications ISO 27001, SOC 2, CSA STAR and CRA are not certified yet. Practices are documented and certification is on the roadmap.
Optional AI AI features use OpenAI APIs under Standard Contractual Clauses, data minimization and a no-PII policy. They can be discussed or disabled for customers requiring strict residency.
Isolation Isolation is logical at application level through clientId, roles and GraphQL controls. OneChain does not provide dedicated per-customer LLM instances.
SIEM and exports Log exports to a customer SIEM are not standard. They are handled through a dedicated contractual agreement.
AI and data

AI features are framed by use case

AI modules extract, reconcile and prepare transport information. Payloads are minimized, personal data is avoided, and activation can be discussed case by case with customer IT and security teams.

Evaluate OneChain

Ready to save 50% of your transport management time?

See in 30 minutes how OneChain adapts to your flows, providers and quality standards.

Request a free demo