Security & Trustat the Core

Your data deserves the strongest protection. OllaSync is built from the ground up with enterprise-grade security, privacy-first design, and continuous compliance monitoring.

SOC 2
Type II Certified
GDPR
Fully Compliant
ISO
27001 Certified
99.99%
Uptime SLA
Compliance & Certifications

Industry-Leading Compliance

Independent audits and certifications verify our commitment to the highest security and privacy standards.

SOC 2 Type II

Independently audited controls for security, availability, processing integrity, confidentiality, and privacy.

GDPR

Full compliance with EU data protection regulations. Data portability, right to erasure, and DPA available.

ISO 27001

Information security management system certified to ISO/IEC 27001:2022 standards across all operations.

HIPAA

Business Associate Agreements available for healthcare customers. Encryption, access controls, and audit trails.

CCPA

California Consumer Privacy Act compliant. Full transparency on data collection and consumer rights management.

CSA STAR

Cloud Security Alliance STAR Level 2 certification. Transparent security practices and risk management.

End-to-End Encryption

Your Data, Always Encrypted

Every piece of data — messages, files, video streams — is encrypted in transit and at rest. Our zero-trust architecture ensures only authorized users can access their data.

AES-256 Encryption

Military-grade encryption for all data at rest. Keys are managed through AWS KMS with automatic rotation.

TLS 1.3 in Transit

All network traffic encrypted with TLS 1.3. Perfect forward secrecy ensures past sessions stay protected.

End-to-End Messaging

Messages are encrypted on the sender's device and only decrypted on the recipient's device. Not even OllaSync can read them.

Zero-Knowledge Architecture

We never have access to your unencrypted content. Your encryption keys are never stored on our servers.

Data at Rest
AES-256-GCM
Active
Data in Transit
TLS 1.3 + PFS
Active
Key Management
AWS KMS + Auto-rotation
Active
E2E Messaging
Signal Protocol
Active
Infrastructure

Built on a Fortress

Our infrastructure is designed for resilience, redundancy, and rapid recovery — so you never have to worry about downtime or data loss.

Multi-Region Deployment

Hosted across AWS regions in US, EU, and APAC. Automatic failover ensures your workspace stays online even during regional outages.

99.99% Uptime SLA

Backed by financially-guaranteed SLA. Redundant systems at every layer — load balancers, app servers, databases, and storage.

Automated Backups

Continuous backups with point-in-time recovery. Retained for 30 days on all plans. Geographic redundancy for disaster recovery.

DDoS Protection

Enterprise-grade DDoS mitigation via Cloudflare and AWS Shield. Layer 3-7 protection for all traffic endpoints.

Vulnerability Management

Continuous vulnerability scanning, annual penetration testing by third parties, and responsible disclosure program.

Incident Response

24/7 security operations center with <15 min response time. Transparent post-incident reports published within 72 hours.

Access Control

Your Rules, Enforced

Granular access controls that adapt to your organization's policies. SSO, MFA, and RBAC work together to keep the wrong people out.

Single Sign-On

One login for everything. Integrate with your existing identity provider for seamless, secure access.

  • SAML 2.0 & OIDC
  • Okta, Azure AD, OneLogin
  • AD/LDAP sync
  • Domain verification
  • Just-in-time provisioning
  • SCIM user management

Multi-Factor Auth

Layer defense with configurable MFA policies that match your security requirements.

  • TOTP authenticator apps
  • Hardware security keys (FIDO2)
  • SMS & email verification
  • Enforce org-wide MFA policies
  • Recovery codes & backup
  • Passwordless WebAuthn

Role-Based Access

Fine-grained permissions let you control exactly who sees what, from workspaces down to individual messages.

  • Custom role creation
  • Workspace-level permissions
  • Channel & DM restrictions
  • Data export policies
  • Guest & external access
  • Approval workflows
audit-log.stream
2026-01-15 09:14:22LOGINsarah.chen@acme.com authenticated via SSO (Okta)
2026-01-15 09:15:03PERMRole changed: j.miller → Admin (by sarah.chen)
2026-01-15 09:16:45EXPORTData export initiated by admin@acme.com (workspace: eng)
2026-01-15 09:18:12CONFIGMFA policy enforced for organization (by admin@acme.com)
2026-01-15 09:20:34ALERTFailed login: unknown@external.com (IP: 203.0.113.42) — blocked
2026-01-15 09:22:01LOGINdavid.park@acme.com authenticated via SSO (Azure AD)
2026-01-15 09:24:18SHAREChannel #product-roadmap shared with partner org (by sarah.chen)
Audit & Compliance

Complete Audit Trail

Every action is logged, searchable, and exportable. Know exactly who did what, when, and from where — with tamper-proof records you can trust.

Real-Time Streaming

Stream audit events to your SIEM (Splunk, Datadog, Elastic) in real time via webhooks and API.

Immutable Logs

Audit logs are append-only and cryptographically signed. Tampering is detected and flagged instantly.

90-Day Retention

Standard 90-day log retention. Enterprise plans offer unlimited retention with custom archival.

Export & Reporting

CSV, JSON, and PDF exports. Pre-built compliance reports for SOC 2, GDPR, and HIPAA audits.

FAQ

Security Questions

Common questions about how we protect your data.

Your data is stored in AWS data centers across your chosen region (US, EU, or APAC). All data centers are SOC 2 and ISO 27001 certified. You choose your data residency at signup, and we never transfer your data outside your selected region without explicit consent.
No. With end-to-end encryption enabled, messages are encrypted on the sender's device and only decrypted on the recipient's device. OllaSync never has access to the unencrypted content. For non-E2E channels, access is strictly limited to authorized personnel under our data access policy.
We run continuous automated vulnerability scanning and annual third-party penetration tests. Our security team monitors CVE databases and applies patches within 24 hours for critical vulnerabilities. We also maintain a responsible disclosure program at security@ollasync.com.
Our 24/7 security operations center detects and responds to incidents within 15 minutes. Affected customers are notified within 24 hours per our breach notification policy. Post-incident reports are published within 72 hours, detailing root cause, impact, and remediation steps.
Yes. Continuous backups with point-in-time recovery are retained for 30 days. All customers can export their data at any time in standard formats (JSON, CSV). Enterprise plans include custom backup retention and dedicated recovery support.
We fully support GDPR data subject rights including access (Article 15), rectification (Article 16), erasure (Article 17), and portability (Article 20). Requests are processed within 72 hours via our privacy portal or by contacting privacy@ollasync.com. Our DPA is available for all customers.
Yes. Enterprise customers can deploy OllaSync on-premise or in their own cloud VPC. This includes air-gapped installations for organizations with strict compliance requirements. Contact our sales team for details.
Encryption keys are managed through AWS KMS with automatic 90-day rotation. Enterprise customers can bring their own keys (BYOK) via HSM integration. Keys are never stored alongside encrypted data, and access is logged in audit trails.

Questions About Security?

Our security team is available to discuss your requirements, provide documentation, and schedule a security review. We're here to help.

SOC 2 Type II
GDPR Compliant
ISO 27001
<24h Response