Security at Oomph
At Oomph, protecting our clients’ data and maintaining the trust they place in us is foundational to how we operate. We are committed to implementing and maintaining rigorous security practices across our organization, our technology, and our people.
Information Security Program
We maintain a formal Information Security Program aligned with the SOC 2 framework — a widely recognized information security standard established by the American Institute of Certified Public Accountants (AICPA). This program is communicated throughout the organization and governs how we protect client data at every level.
Independent Audits and Testing
Our security and compliance controls are validated through independent third-party assessments. We also engage third-party firms to conduct penetration testing at least annually, ensuring the security posture of our services remains strong.
Organizational Security
Roles and Responsibilities
Roles and responsibilities related to our Information Security Program and the protection of client data are clearly defined and documented. All team members are required to review and accept our security policies.
Security Awareness Training
Every Oomph team member completes security awareness training covering industry-standard topics including phishing, password management, and secure development practices.
Confidentiality
All team members sign and adhere to a confidentiality agreement prior to their first day of work.
Background Checks
We perform background checks on all new team members in accordance with applicable laws.
Cloud and Infrastructure Security
Hosting and Infrastructure
Our services and client environments are hosted across trusted, industry-leading cloud infrastructure providers — including Amazon Web Services (AWS), Acquia, Pantheon, and Platform.sh — each of which maintains robust security programs and multiple compliance certifications. We select providers based on the specific needs of each engagement to ensure the highest levels of performance, reliability, and security.
Data Hosting
All data is hosted within the United States. Our hosting providers maintain comprehensive physical and environmental security controls at their data center facilities.
Encryption
All databases are encrypted at rest. Data in transit is protected using TLS/SSL encryption.
Vulnerability Scanning
We perform vulnerability scanning and actively monitor for threats across our infrastructure.
Logging and Monitoring
We actively monitor and log cloud services activity to detect and respond to potential security events.
Business Continuity and Disaster Recovery
We leverage our hosting providers’ backup and redundancy services to minimize the risk of data loss in the event of a hardware failure. Monitoring services are in place to alert our team immediately in the event of any service disruption affecting users.
Incident Response
We maintain a documented incident response process that includes escalation procedures, rapid mitigation, and timely communication with affected stakeholders.
Access Security
Authentication and Permissions
Access to cloud infrastructure and sensitive tools is limited to authorized employees who require it for their role. We enforce Single Sign-On (SSO), multi-factor authentication (MFA), and strong password policies across our systems.
Least Privilege
We follow the principle of least privilege for identity and access management, ensuring team members have only the access necessary to perform their work.
Access Reviews
We perform quarterly access reviews for all team members with access to sensitive systems.
Password Management
All team members are required to adhere to minimum password complexity requirements and use a company-approved password manager.
Vendor and Risk Management
Risk Assessments
We conduct risk assessments at least annually to identify potential threats, including considerations for fraud.
Vendor Reviews
We evaluate vendor risk and perform appropriate due diligence reviews prior to authorizing any new vendor or third-party service.
Compliance and Accessibility
In addition to our SOC 2 alignment, Oomph helps clients meet GDPR, HIPAA, HITRUST, and WCAG accessibility standards. Security and compliance are embedded into our delivery process — not treated as an afterthought.
Contact Us
If you have any questions, comments, or concerns — or if you wish to report a potential security issue — please contact us at security@oomphinc.com.