Guide to Handling of Customer Data
Document Overview
This document describes the handling of data of OneShot.ai customers, with specific focus on security of potentially sensitive information. This document is intended for customers, prospective customers and related interested parties. For additional information, please contact infosec@oneshot.ai
By design there are no connections between OneShot systems and infrastructure and those of the customer that hold business records, sensitive data or any other information belonging to the customer.
OneShot API Calls
Once the user logs-in to Oneshot through Salesforce login, Oneshot issues a JWT token which expires in 60 minutes which the customer can specify to our platform. This is going to be used as an authorization token which will authorize the user to make API calls against the Oneshot system from Oneshot User interface (UI).
Once the system authorizes the user, the system would internally fetch the access tokens that the user has given access to their CRM, Outreach, Email(Gmail/Outlook) and by using those tokens the API requests would be made from Oneshot backend systems. None of those access tokens are exposed to the clients.
All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet.
CRM
Users connects to the OneShot interface via their Salesforce login information. A user is created in the Oneshot system with the users email address, username and OAuth access tokens. This allows Oneshot to make secure API calls against the users CRM account.
OneShot adheres to industry standard security practices defined by Salesforce’s official OAuth process:
https://help.salesforce.com/articleView?id=remoteaccess_oauth_flows.htm&type=5
Customers have to specify how they track paying customers and how their products sold => Oneshot stores metadata information Account objects field’s name (ActiveARR__c). Oneshot pulls all the accounts whose value is greater than 0.0 for this field on the Account. Oneshot does not store to disk any CRM data belonging to the customer. OneShot will pull in real-time fresh relelevent CRM information from the customers CRM upon every new log-in.
For optimum performance this information is cached IN MEMORY(RAM) with a time to live of 60 min and is automatically erased in Oneshot. This ensures OneShot limits API requests against Salesforce but ensures instantaneous performance for the user in-session. OneShot does have capacity to turn off caching if requested by the customer although this may result in performance degradation during user sessions.
All other CRM requests are pulled in real time and not stored or cached in any way stored in anyway.
Outreach / Email
A user connects their Outreach’s account or Email account(Gmail or Outlook) with Oneshot. This is secured by industry standard OAuth process and Oneshot stores the access tokens to be able to make API calls to Outreach and/or email on the user’s behalf.
When the rep sends email to any contact from Oneshot platform, we would store the information of which company and which contact but not the actual email content.
Infrastructure
OneShot uses Amazon public cloud AWS instances for application servers and Cloud MongoDB (Atlas) for databases. These data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that OneShot customers data is perpetually safe and secured.
During the set-up and configuration of OneShot for the customer these instances can be chosen based on the customers geographic requirements i.e. US, Europe, Asia to comply with data sovereignty requirements. API access tokens are stored in the OneShot cloud MongoDB Atlas. The access is limited to only approved designated employees. All approved designated employees must complete OneShot InfoSec training prior to being certified as approved for access
GDPR Logging
OneShot is committed to ensuring ongoing compliance with the General Data Protection Regulation (GDPR). OneShot does not log any customer sensitive data or personal information into OneShot systems and fully complies with GDPR requirements.