Security built into every layer
Your people data is some of the most sensitive information your organization holds. Keeping it secure, private, and available is foundational to everything we build at OneDirectory.
How we protect your data
OneDirectory is an employee directory and org chart platform built on enterprise-grade cloud infrastructure. We connect to your HR and identity systems using read-only, least-privilege permissions, and we apply layered controls across our infrastructure, network, application, and people to keep your information safe.
Infrastructure & physical security
Our infrastructure is hosted in Microsoft Azure data centers, protected by multi-factor authentication, biometrics, video surveillance, and 24/7 on-site security. Azure holds ISO 27001/27018, SOC 1/2/3, and PCI DSS accreditations.
Network security
Database access is restricted by Azure firewalls in a deny-by-default configuration, allowing only approved IP addresses. Cloudflare provides edge security, TLS, DNS, and DDoS protection at the perimeter.
Encryption
All traffic is encrypted in transit with TLS 1.2+ and modern cipher suites. Data is encrypted at rest with 256-bit AES, backups are encrypted, and encryption keys are managed in Azure Key Vault.
Availability & continuity
Built for high availability with continuous monitoring. Data is replicated three times in its primary region, with geo-redundant backups replicated to a paired region, backed by a formal Business Continuity and Disaster Recovery program.
Application security
We follow a formal Secure Development Lifecycle with change management, separation of duties, secure coding standards, and automated and manual testing. Development, testing, and staging are fully separated from production, and no production data is used in testing.
Access & internal controls
Privileged access is tightly restricted, MFA-enforced, logged, and reviewed quarterly. No external parties have access to production data, and all employees are bound by confidentiality and security obligations.
Designed with security at every level
OneDirectory authenticates entirely through Microsoft's identity platform and connects to your tenant with read-only permissions. We never see your passwords, and we never touch your content.
- No passwords, ever. Sign-in is handled by Microsoft via OpenID Connect. OneDirectory has no forms-based login and never handles or stores user passwords.
- Least-privilege, read-only access. We request only the employee profile data needed to run the service. We cannot write or modify anything in your Microsoft 365 environment.
- Profile data only. We access user profiles via the Microsoft Graph API. We have no access to your documents, emails, audit logs, or other user-generated content.
- You stay in control. All permissions are stored in your Azure portal and can be reviewed or revoked at any time from Enterprise Applications.
- Role-based access & ringfenced API. Access is governed by user roles (admins, directory editors, end users), and every API request is served over TLS 1.2+ and ringfenced to the signed-in organization.
Privacy and compliance, by design
You remain the controller of your data; OneDirectory acts as your processor. We use your data solely to provide the service, and we never sell or share it.
- GDPR, UK GDPR & CCPA/CPRA. Our Data Protection Addendum aligns with major privacy regulations and incorporates the EU Standard Contractual Clauses for international transfers.
- Data residency options. Hosted in the United States by default, with EU and Australia regions available for customers with data residency requirements.
- No special-category data. We process standard employee profile information only - no special categories of personal data.
- 72-hour breach notification. In the event of a data security breach, we commit to notifying affected customers without undue delay and within 72 hours of becoming aware.
- Return or deletion on request. On termination or request, we return or securely delete your data in line with our retention and data protection policies.
A formal, SOC 2-aligned security program
OneDirectory maintains a formal security and compliance policy framework aligned with SOC 2 and industry best practices, covering access control, secure development, incident response, risk management, operations security, business continuity, and data protection.
OneDirectory is built on enterprise-grade cloud infrastructure with no history of security breaches affecting customer data since our founding. Information security is overseen at the executive level by our CTO and CEO.
The vendors we rely on
We use a small set of carefully vetted third-party vendors to deliver OneDirectory. Each undergoes due diligence and is bound by data protection obligations. No external party has access to production customer data beyond what is required to provide the service.
| Subprocessor | Purpose | Data residency | Security |
|---|---|---|---|
| Microsoft | Data storage, web application hosting, backup, firewall, security | US / EU / AU | Trust center |
| Cloudflare | Firewall, DDoS protection, SSL/TLS encryption, CDN, DNS management | Global edge | Trust center |
| Fin (formerly Intercom) | Support helpdesk, in-app support, changelog, product tours | US | Trust center |
| Amplitude | Product analytics | US | Security |
Report a security concern
We take every report seriously. If you believe you've found a vulnerability or have a security concern about OneDirectory, please get in touch with our security team and we'll respond promptly.
Security documentation
Need more detail for a vendor review or security questionnaire? Our Security Overview and Data Protection Addendum (DPA) are available on request, along with our SOC 2-aligned policy documents under NDA.
Frequently asked questions
Where is OneDirectory hosted and where is my data stored?
OneDirectory runs entirely on Microsoft Azure. Data is stored in the United States by default, with EU and Australia regions available for customers who have data residency requirements.
What data does OneDirectory access in my Microsoft 365 tenant?
We access employee profile data through the Microsoft Graph API using read-only, least-privilege permissions. We cannot write or modify anything in your environment, and we have no access to your documents, emails, audit logs, or other user-generated content. Permissions can be reviewed or revoked at any time from your Azure portal.
Does OneDirectory store passwords?
No. OneDirectory has no forms-based login. Authentication is handled entirely by Microsoft's identity platform via OpenID Connect, so we never handle or store user passwords.
How is my data encrypted?
All traffic is encrypted in transit using TLS 1.2+ with modern cipher suites. Data is encrypted at rest using 256-bit AES, backups are encrypted, and encryption keys are managed in Azure Key Vault.
Is OneDirectory SOC 2 certified?
OneDirectory maintains a formal security and compliance policy framework aligned with SOC 2 and industry best practices. Our infrastructure runs on Microsoft Azure, which holds ISO 27001/27018, SOC 1/2/3, and PCI DSS accreditations. Policy documents are available under NDA on request.
Who are your subprocessors?
We rely on a small set of vetted vendors: Microsoft (hosting, storage, backup, security), Cloudflare (edge security, DDoS, CDN, DNS), Intercom (support), and Amplitude (product analytics). Each is bound by data protection obligations under our Third-Party Management Policy.
How do I report a security issue or request your DPA?
Email security@onedirectory.com to report a security concern or to request our Security Overview, Data Protection Addendum, or other security documentation.
