SOC 2 Controls
OTseek is SOC 2 compliant, maintains rigorous enterprise security standards across all deployments, and documents all active controls, audit and pentesting reports, and subprocessor details via our Trust Center .
SLAs and Incident Response
OTseek is highly available during trading hours for the given asset class. System health and uptime is tracked continuously via our Status Page and organizations may subscribe to alerts via email.
| Priority | Response Time | Target RTO |
|---|---|---|
| P0 - Major disruption | 5 minutes during trading hours for asset class | 30 minutes |
| P1 - Minor disruption | 1 hour during trading hours for asset class | 2 hours |
| P2 - Bug or feature request | 1 day during trading hours for asset class | N/A |
Major disruptions automatically trigger service credits, as defined by your organization’s specific agreement with OTseek.
Disaster Recovery and Business Continuity
OTseek conducts regular disaster recovery exercises and will work with your organization to define acceptable business continuity plans, with our primary focus being availability of OTseek during trading hours.
OTseek maintains warm standby multi-region failover capabilities in the event of cloud provider regional outages for both multi-tenant and single-tenant deployment configurations.
| Primary Region | Failover Region | Target RTO |
|---|---|---|
AWS us-east-1 (N. Virginia) | AWS us-east-2 (Ohio) | 30 minutes |
Azure East US (Virginia) | Azure East US 2 (Virginia) | 30 minutes |
GCP us-east4 (Ashburn, VA) | GCP us-east5 (Columbus, OH) | 30 minutes |
Audit Logging
OTseek maintains robust audit logging which can be made available upon request to your organization’s security and/or legal and compliance teams. All OTseek data, including audit logs, are encrypted in transit (TLS 1.3+) and at rest (AES-256).
Access: Successful and unsuccessful login attempts, including diagnostic metadataRBAC: Ledger of all RBAC actions within the organization, including user lifecycle managementActivity: Fine-grained platform activity taken at the user-level
OTseek maintains default audit log retention windows, which can be adjusted to meet your organization’s security and compliance needs. Zero data retention (ZDR) options are also available upon request.
Software Development Lifecycle (SDLC)
OTseek implements security controls applying to all personnel involved in software development, DevOps, and infrastructure management, and covers all production applications and internal tools. The following minimum controls are active at OTseek, and full policies are available upon request.
- Mandatory Peer Code Review, Secret & Dependency Scanning, Environment Separation
- Automated SAST, Formal Design Reviews, Continuous Penetration Testing
- Security by Design, Secure Coding Standards (OWASP Top 10)
- Third-party Dependency Scanning, Data Purge, Secret Revocation, Asset Inventory