Security — One Click Coaching | Enterprise-Grade Data Protection

Four principles.

Security is not a feature list — it's a set of commitments you can check against behavior. These four are the ones we'd want to see from a vendor handling our own sales calls.

§ 01

Your data is yours.

You own it, you control it, you can export or delete it in a click. We don't sell it, we don't train AI on it, we don't share it with anyone we haven't disclosed.

§ 02

Encrypt everything.

AES-256 at rest across every database and backup. TLS 1.3 in transit across every hop. Secrets in a managed vault with per-environment rotation.

§ 03

Least privilege.

Engineers don't have standing access to customer data. Production access is just-in-time, approved, logged, and time-boxed. MFA is required everywhere.

§ 04

Tell the truth.

If something breaks, you'll hear about it from us within 72 hours of confirmed impact — not from a news article. No spin, no lawyer-talk.

The controls.

The specific technical and organizational measures we have in place. Customers on Enterprise can request detailed evidence for each row as part of a vendor review.

Encryption at rest

AES-256 across primary databases, object storage, and backups. Managed keys, rotated quarterly, with separate KMS per environment.

Live

Encryption in transit

TLS 1.3 enforced on all customer-facing endpoints and internal service-to-service calls. HSTS preloaded. Weak ciphers disabled.

Live

Tenant isolation

Row-level isolation enforced at the ORM, database, and policy layers. Every query is scoped to a workspace ID. No cross-tenant queries are possible by construction.

Live

Authentication

Email + password with Argon2id hashing. SSO via SAML 2.0 and OIDC (Okta, Entra ID, Google Workspace). Optional MFA via TOTP or WebAuthn.

Live

Access control

Role-based access (Admin / Manager / Rep / Viewer). Granular workspace roles and team scoping. Full audit log exportable to SIEM for Enterprise.

Live

Employee access

No standing production access. Requests are logged, approved by a second engineer, time-boxed, and auto-revoked. MFA + SSO required for all staff systems.

Live

Network & infrastructure

Hosted on AWS (us-east-1, eu-west-1). Private VPCs, WAF, rate limiting, DDoS protection at the edge. Infrastructure-as-code; no manual production changes.

Live

Application security

Static analysis, dependency scanning, and secret scanning on every commit. Weekly automated vulnerability scans. Annual third-party penetration test.

Live

Backups & recovery

Encrypted backups every hour; 35-day rolling retention. Tested restore quarterly. RPO ≤ 1 hour · RTO ≤ 4 hours for Enterprise.

Live

Logging & monitoring

Centralized, tamper-evident logs across application, infrastructure, and access layers. Real-time alerting to on-call engineers with a 15-minute acknowledgment SLA.

Live

Vendor management

All sub-processors undergo security review. DPAs signed with every one. Annual re-review. Public list maintained on the Sub-processors page.

Live

SOC 2 Type II

Audit underway with a Big Four firm. Observation period ends Q2 2026. Report available under NDA through Enterprise sales on completion.

In audit · Q2 2026

ISO 27001

On the roadmap following SOC 2 issuance. Targeting certification in 2027.

On roadmap

HIPAA / BAA

Not currently supported. Our customers do not typically process protected health information through sales calls. Enterprise HIPAA support is on a per-deal basis.

On request

Data residency

Default region: United States. EU-only residency (Ireland) available on the Enterprise tier. Canadian residency available for customers subject to PIPEDA constraints.

Live

If something breaks.

Every vendor has incidents eventually. What matters is the clock that starts ticking the moment one is confirmed. Here's ours.

T + 0

Detection.

Automated monitoring or a report triggers an alert. On-call engineer acknowledges within 15 minutes, 24/7.

T + 1h

Containment.

Immediate isolation of affected systems. Incident commander assigned. Customer-impacting status posted to status.oneclickcoaching.com.

T + 24h

Scope confirmed.

Forensic analysis of blast radius: which customers, which data, what was exposed vs. read vs. exfiltrated.

T + 72h

Customer notification.

Affected customer admins notified directly by email & phone, with specifics. Regulatory notifications triggered where required.

T + 2 wk

Public post-mortem.

Written post-mortem shared with affected customers: root cause, timeline, what we changed. No spin.

Responsible disclosure.

Security researchers: thank you. We welcome reports and we don't sue the people who help us. Here's how to reach us and what you can expect.

§ — Report a vulnerability

security@oneclickcoaching.com

Encrypt sensitive details with our PGP key (fingerprint 4A3D · 8B2F · 9E1C · 7D4A · 5F6B · E2C8 · 1A9D · 3F4E · 8C7B · 2D5A).

We acknowledge within 24 hours.
Initial assessment within 5 business days.
Fix timeline depends on severity, communicated back to you.
Credit in our hall of fame (opt-in) on resolution.

§ — Safe harbor

No legal action. Promise.

If you act in good faith and abide by the rules below, we commit not to pursue or support any legal action against you.

No automated scanning that degrades the Service.
No accessing customer data beyond the minimum needed to demonstrate the bug.
No social engineering of our staff or customers.
No public disclosure for 90 days or until we've fixed it, whichever comes first.
Use only test accounts you've created, not real customers'.

Built for the teams you sell to.

Four principles.

Your data is yours.

Encrypt everything.

Least privilege.

Tell the truth.

The controls.

If something breaks.

Detection.

Containment.

Scope confirmed.

Customer notification.

Public post-mortem.

Responsible disclosure.

security@oneclickcoaching.com

No legal action. Promise.

For your vendor review.