Skip to content
  • Home
  • /
  • Ondox Security & Compliance Overview (EU)

Ondox Security & Compliance Overview (EU)

Last Revised |   13 March, 2026

Security & Technical Controls

Enterprise-Grade Security for the Ondox Platform (EU)

Ondox Limited provides a secure digital mailroom and AI-driven document processing platform designed for document-intensive organisations operating across Europe.

Security is embedded into every layer of our architecture — from cloud infrastructure and encryption to access management and application design — ensuring sensitive information remains protected and compliant with European regulatory requirements.

This overview applies to our European cloud environment hosted at:
https://eu.ondox.ai

Secure Cloud Infrastructure

Ondox is hosted on Microsoft Azure within the West Europe and North Europe regions, leveraging enterprise-grade infrastructure aligned to internationally recognised security standards.

Our infrastructure includes:

  • Multi-layered firewall protection
  • DDoS mitigation and intrusion detection
  • High-availability architecture with replication and redundancy
  • Automated security patching with monitoring and alerting
  • Advanced threat detection and malware protection

We remove single points of failure and continuously monitor for security risks.

Encryption & Data Protection

Customer data is protected at every stage of its lifecycle.

  • Data at Rest: AES-256 encryption
  • Data in Transit: TLS 1.3 encryption
  • Dedicated and segregated customer databases
  • Encryption keys securely managed within Azure Key Vault
  • Optional UK data residency for data at rest

Customer environments are logically segregated. Ondox does not co-mingle customer data.

Access & Identity Management

Access to the Ondox platform is governed by strict identity and role-based controls.

  • Multi-Factor Authentication (MFA)
  • Role-Based Access Control (RBAC) aligned to least-privilege principles
  • Single Sign-On (SSO) and OAuth 2.0 integration
  • Optional IP whitelisting

Users only access the information necessary for their role.

Secure Software Development

Security is integrated throughout our development lifecycle.

  • Automated static code analysis using Veracode
  • Secure coding practices aligned to OWASP Top 10
  • Ongoing vulnerability management
  • Annual independent penetration testing by a CREST-certified provider

Security testing is continuous and proactive.

Compliance & Certifications

Ondox aligns with recognised European and international security standards, including:

  • ISO 27001
  • SOC 2 Type II
  • Cyber Essentials
  • GDPR-aligned data protection practices

Compliance documentation and security reports are available upon request.

Data Privacy & Residency

  • Customer data is stored within EU Azure regions (West Europe and North Europe)
  • UK storage options available upon request
  • Data Processing Agreements (DPAs) available for customers
  • Regulatory notifications handled in accordance with applicable European legislation

Ondox is designed to support organisations with strict European data residency and privacy requirements.

Monitoring, Logging & Auditability

Transparency is central to the Ondox platform.

  • Comprehensive security logging
  • Continuous 24/7 monitoring
  • Log retention aligned to compliance obligations
  • Full document lifecycle audit trails

All document activity is traceable and reviewable.

Availability & Business Continuity

Ondox is architected for operational resilience.

  • 99.9%+ uptime SLA
  • Automated backups
  • Geographically redundant disaster recovery
  • Azure-based replication for high availability

Business continuity planning is embedded into our cloud infrastructure.

Incident Response & Responsible Disclosure

Ondox maintains a formal Incident Response Plan aligned with ISO 27001 and SOC 2 frameworks.

All security incidents are:

  • Promptly investigated
  • Escalated to appropriate security leadership
  • Managed through structured remediation processes
  • Communicated transparently to affected parties
  • Documented with root cause analysis and corrective actions

Where required, regulatory reporting (including GDPR-related notifications) is completed in accordance with applicable legislation.

Security concerns can be reported confidentially to:
whistleblowing@ondox.ai

All reports are handled in accordance with our formal incident response procedures.

Built for Control

Ondox is designed for organisations that require:

  • Secure document handling
  • European data residency
  • Clear governance
  • Full auditability
  • Enterprise-grade reliability

Security is foundational to how the platform operates — not an add-on.

Got a question?

Got a question?

Talk to our experts in our live chat.