Trust Starts with Transparency
At OneTouch Leasing, we build trust through security, resilience, privacy, and compliance. Protecting your data along with the systems and services that power our lease accounting platform is central to everything we do, and we are committed to being transparent about how we safeguard it.
We continuously improve our practices to stay ahead of evolving risks. If you have any questions or concerns, or would like more information such as audit reports or documentation, please contact us at support@onetouchleasing.com.
We safeguard our systems with layered controls that minimise risk and keep operations secure.
Acceptable Use
Requirements for handling and storing information assets and acceptable use of company systems are formally defined.
Access Administration
Customers are able to administer their own user access (including timely removal), configuring password settings and MFA, and maintaining user access rights.
Code Management
Development follows a secure Software Development Life Cycle (SDLC), using automated build and deployment pipelines. Security checks, code reviews, and testing are built into every stage, ensuring quality, compliance, and resilience from development to production.
Endpoint Security
Company-managed devices are enforced with defined security baselines, patching, and anti-malware controls.
Hosting and Perimeter Security
The platform is hosted on Amazon Web Services (AWS), with perimeter protections, firewalls, and continuous monitoring in place.
Incident Response
Documented incident response procedures define clear roles and responsibilities, escalation paths, containment, investigation, corrective actions, and post-incident reviews. These are tested at least annually.
Passwords and Authentication
Strong password policies include account lockouts, inactivity timeouts, and credential rotation where appropriate. Multi-Factor Authentication (MFA) is mandatory for staff access. The principle of least privilege is applied with quarterly access reviews and prompt revocation upon exit.
Penetration Testing
Independent penetration testing is performed regularly, with all identified findings prioritised, remediated, and tracked through to verified closure.
Secure Remote Access
All remote connections to OneTouch Leasing networks and systems are encrypted, monitored, and controlled by zero-trust principles. Every access attempt is authenticated, authorised, and logged to ensure security, compliance, and full traceability.
Single Sign-On (SSO)
OneTouch Leasing supports secure user authentication through Single Sign-On (SSO) using OpenID Connect (OIDC), integrating seamlessly with leading corporate identity providers such as Microsoft Entra (Azure AD), Okta, and OneLogin.
Vulnerability Management
Regular vulnerability scanning is conducted. Identified risks are prioritised and remediated based on severity to ensure proactive protection and ongoing compliance.
We design our platform for resilience and availability, so your operations remain uninterrupted even in the face of disruption.
Architecture
Our platform is designed in line with the AWS Well-Architected Framework, employing high-availability strategies to maximise uptime and resilience. The architecture leverages multiple Availability Zones, redundancy, autoscaling, and load balancing to ensure consistent performance.
Backups
Regular encrypted backups are stored across multiple geographically separate locations. These are monitored and periodically tested by restoration.
Business Continuity Planning (BCP)
Comprehensive BCP ensures resilience during unexpected events. Plans are regularly reviewed and tested to minimise disruption.
Disaster Recovery (DR)
Critical systems and data can be rapidly restored through a globally distributed disaster recovery framework. Redundancy, automated backups, and regular recovery testing provide strong protection against downtime and data loss.
Monitoring and Logging
Centralised logging and real-time alerting enable rapid detection, response, and resolution of performance, availability, and security events.
We handle personal and customer data with the highest care, ensuring it is protected, compliant, and used responsibly. Please refer to our Privacy Policy for more details.
Classification and Handling
Clear policies and guidelines are implemented when it comes to information clsssification (e.g., Public, Internal, Confidential) with controls for storage, access and disclosure.
Encryption
Data at rest and in transit is encrypted. Encryption key management follows documented standards and best practices.
Retention and Disposal
Data retention and disposal requirements are defined. Customer data is securely deleted at the end of a subscription, with the option to return customer data upon request.
Secrets Management
Credentials and keys are managed using approved mechanisms with restricted access and rotation.
SOC 2
Our SOC 2 Type 2 audit verifies that customer data is managed securely, with controls designed and operating effectively to protect confidentiality, integrity, and privacy.
Sovereignty
Customer application data is stored and processed exclusively in secure AWS regions aligned with applicable regulatory and data residency requirements. Data residency controls and encryption safeguards ensure customer data remains within its designated jurisdiction.
Use of AI & ML
AI/ML features are subject to user review and confirmation. Any data used for model improvement follows our data protection and security controls.
We uphold industry standards through independent audits and strong internal policies that promote accountability and trust.
Accessibility Commitment
OneTouch Leasing is committed to providing inclusive access to our applications and website. We align our efforts to the Web Content Accessibility Guidelines (WCAG) to improve accessibility for people with disabilities. If you need assistance or wish to provide feedback, please contact our support team.
Background Checks
All OneTouch Leasing employees undergo pre-employment background checks, carried out in line with internal policy and local employment law.
Change Management
All changes are documented, tested, peer-reviewed, and independently approved prior to deployment. A strict separation is maintained between development/testing and production.
Information Security Governance
Security policies and standards are maintained with periodic reviews and oversight by senior leadership.
SOC 2
We operate under the SOC 2 framework, with independent auditors attesting that our controls are fairly presented, suitably designed, and effective. Reports are available to customers and prospects under confidentiality agreements.
Third Party Risk
Vendors are subject to security due diligence, contractual safeguards, and ongoing monitoring, with periodic reviews to ensure compliance with our security and risk management requirements.
Training and Awareness
Staff receive security training at onboarding and periodically, with policy acknowledgment required.