oneclik.
Security

Security is a feature, not a checkbox.

Oneclik captures bug reports - including screenshots and logs - so we treat security as core engineering work, not a compliance afterthought.

Last updated: April 19, 2026

Four pillars of our program

Defense in depth - engineered into the product, the platform, and how we work.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-workspace key isolation for sensitive payloads like console logs and screenshots.

Strong authentication

Email + password with HIBP leaked-password checks, Google & Apple SSO, and SAML SSO for enterprise. MFA available on all paid plans.

Hardened infrastructure

EU-default hosting on tier-1 providers, isolated production environments, automated patching, and immutable build pipelines.

Least-privilege access

No engineer has standing access to production data. Just-in-time access requires approval and is fully audit-logged.

Compliance & certifications

Where we stand today and where we're heading.

GDPR

EU data residency by default. DPA available on request.

Compliant

SOC 2 Type II

Audit underway with a Big-Four firm. Bridge letter on request.

In progress · 2026

ISO 27001

Aligning controls in preparation for certification.

Roadmap · 2027

CCPA

Honor opt-out, access, and deletion requests for California residents.

Compliant

Data protection

  • All data encrypted at rest with AES-256 and in transit with TLS 1.3.
  • Encryption keys managed via a dedicated KMS with automatic rotation.
  • Per-workspace logical isolation - one customer's data is never co-mingled with another's at the application layer.
  • Sensitive fields (auth tokens, request bodies) can be redacted automatically before capture.

Authentication & access

  • Email + password with leaked-password (HIBP) checks at signup and rotation.
  • Google and Apple SSO out of the box. SAML SSO for enterprise.
  • Multi-factor authentication (TOTP) available on all paid workspaces.
  • Role-based access control: Owner, Admin, Member, Viewer.
  • Session tokens are short-lived, rotated, and bound to device fingerprints.

Infrastructure & network

  • EU-default hosting; US and APAC regions available for enterprise.
  • Edge-first architecture with DDoS protection and WAF in front of every endpoint.
  • Private VPCs, no public database endpoints, and bastion-only admin access.
  • Immutable infrastructure deployed via signed, reproducible builds.

Application security

  • Mandatory peer review and CI checks on every change.
  • Static analysis (SAST), dependency scanning, and secret scanning on every commit.
  • Annual third-party penetration tests; summary reports available on request.
  • Strict Content Security Policy and modern cross-origin protections.

Operational security

  • Mandatory device hardening, full-disk encryption, and SSO with MFA on all employee accounts.
  • Background checks for engineers with potential access to production systems.
  • Annual security awareness and secure-coding training.
  • Centralized audit logs for every privileged action; logs are write-once.

Backups & disaster recovery

  • Encrypted, point-in-time backups taken continuously.
  • Cross-region replication with documented RTO of 4 hours and RPO of 15 minutes.
  • Disaster recovery tested at least annually.

Incident response

We follow a documented incident response plan with on-call rotations, severity classification, and post-mortem reviews. For incidents involving customer personal data, we notify affected workspace admins within 72 hours, in line with GDPR Article 33.

Vendor & subprocessor management

We use a small, audited set of subprocessors for hosting, email, payments, and AI inference. Each is reviewed for security posture and bound by a Data Processing Agreement. A current list is available on request.

Responsible disclosure

Found a vulnerability? We want to hear from you. We commit to acknowledging reports within 48 hours and resolving validated issues as fast as their severity demands.

  • • Test only against your own workspace.
  • • No social engineering, DDoS, or physical attacks.
  • • Give us reasonable time to remediate before public disclosure.

Report a vulnerability

Email us with steps to reproduce and any supporting artifacts. PGP key available on request.

info@innowave.techRead the Privacy Policy