Security at Opus 2

Compliance and certification

We provide a secure alternative to information sharing, process management, and collaboration methods that can put your data at risk. We meet stringent industry standards and have:

maintained ISO27001:2013 certification since 2015
retained Cyber Essentials Plus certification since 2016

mark-of-trust-certified_ISO-9001_ISO-27001_information-security-management

Secure development

Secure by design

Security is at the heart of our development process. Whenever we issue a new version or feature of an Opus 2 solution, we use a methodology called STRIDE to identify potential threats, then a dedicated risk owner is assigned to eliminate or mitigate that threat.

Testing and verification

We employ a combination of automated and manual testing involving static binary analysis using industry-standard tooling and continuous checks for third-party dependencies. We carry out regular internal and third-party penetration testing at least once a year.

Consistent builds

Our code is fed into a well-structured Continuous Integration (CI) pipeline for proper testing. Any issues are verified and fed into the bug-tracking system. We try to find solutions that address complete bug classes rather than point solutions for a single finding.

Secure infrastructure

Standardised configurations

We have built environment “templates” that can be deployed automatically. They allow us to build a consistent environment for you, without being prone to human error, and they give us a standard for measuring other environments to prevent creep or technical debt.

Geo-specific hosting

In general, we host in the most applicable region to where our clients engage us, subject to compliance with legal requirements. If you have specific hosting needs that are unique to your organisation, we can find an appropriate solution for your needs.

Europe

Primary systems are hosted in availability zone EU-WEST–2. Secondary/Backup Systems are hosted in availability zone EU-WEST–1.

United States

Primary systems are hosted in availability zone US-EAST–2. Secondary/Backup Systems are hosted in availability zone US-EAST–1.

Client-specific hosting requirements

If you have specific hosting needs that are unique to your organisation, we can find an appropriate solution for your needs.

Data protection

Compliance

Opus 2 Services and Agreements meet global legal and regulatory requirements, including but not limited to:

General Data Protection Regulation (GDPR)
UK GDPR
California Consumer Privacy Act (CCPA)
Singapore Personal Data Protection Act
Australian Privacy Act
Canada Federal Personal Information Protection and Electronic Documents Act

Authentication and authorisation

There are several authentication methods in place to increase the security of accounts. This includes a client-defined password policy and several options for multi-factor authentication. It is also possible to link to your Single Sign-On provider to centralise account control and authentication policies.

User management

As a client, you have full control over the permissions for each user you register to the platform. You can create, modify, and remove users based on your own internal policies.

Encryption at rest

All customer data is hosted on encrypted AWS containers. Encryption keys are programmatically managed through the AWS Key Management System (KMS).

Encryption in transit

All internet-facing application instances are assigned a TLS certificate to ensure that data communicated between your computer and the Opus 2 infrastructure is encrypted using the latest encryption protocols. The certificate is generated through a secure process and only supports encryption protocols and ciphers that are not currently known to be broken or otherwise compromised. All components communicate with each other over TLS.

Incident response

The Opus 2 ecosystem includes 24/7 security monitoring. Every device, server instance, and application provide a rich set of data points into our centralised log aggregation platform. Using advanced AI, this data is continuously analysed for anomalies and any events that potentially indicate a security incident are investigated by the Opus 2 Incident Response team.

Third parties

Apart from AWS, we do not rely on any third parties to provide our solutions and services to our clients. Where third parties are involved for additional services, security screening is undertaken, and an NDA is signed. We also conduct the same level of background checks for our own employees, and we sign a Data Protection Agreement (DPA), as required by the GDPR.

We work with independent court reporters who are considered third parties for the services they provide. Each court reporter receives Opus 2’s Employee Security Awareness Training and signs an NDA with Opus 2. Additionally, several of the court reporters hold security clearances of varying levels for which they have undergone independent background checks. The court reporters are contractually obliged to maintain the security of client information in line with Opus 2’s security classification and data protection policies.

Meet our dedicated security team

Our core information security team consists of security experts who work with the wider Opus 2 team, from Human Resources to Software Engineering and from Finance to Support, to deliver our solutions and services to you as securely as possible.

Contact our team