Skip to content
  • Home
  • /
  • Ondox Security & Compliance Overview (EU)

Ondox Security & Compliance Overview (EU)

Last Revised |   9 May, 2025

Technical Controls

Introduction

Lithe IT Ltd is committed to providing a secure, compliant, and reliable AI-driven digital mailroom solution, which is called Ondox. Security is integrated into every layer of our platform to protect customer data and ensure compliance with industry standards. This document refers to our European cloud environment available at https://eu.ondox.ai.

Hosting & Infrastructure Security

  • Cloud Provider: Ondox is hosted by Microsoft Azure in West Europe and North Europe regions.
  • Data Centers: Our data centers are certified with ISO 27001, Cyber Essentials, SOC 2, and other industry-recognized security standards.
  • Network Security: We implement multiple firewall layers, DDoS protection, and intrusion detection systems to prevent unauthorized access.
  • Replication & Redundancy: We utilize Azure replication technologies to enhance availability and resilience, removing single points of failure.
  • Antivirus & Malware Protection: Ondox employs advanced threat detection, antivirus scanning, and endpoint protection to safeguard against malware and cyber threats.
  • Patching: Automated deployment of Security and critical patches with alerting.
  • Encryption:
    • Data at Rest: All customer data is encrypted using AES-256.
    • Data in Transit: Encrypted using TLS 1.3 to ensure secure communication.

Secure Software Development

  • Source Code Security: Ondox leverages Veracode to conduct automated static code analysis and ensure that our application remains secure throughout the development lifecycle.
  • OWASP Top 10 Training: Our development team is trained in secure coding practices, including adherence to the OWASP Top 10 security risks, ensuring best practices are followed to mitigate common vulnerabilities.

Customer Data

  • Customer data stored in dedicated databases, fully segregated from other customers, with documents stored in dedicated storage accounts.
  • All data encrypted at rest using TDE with customer dedicated encryption keys managed in Azure Key Vaults using Microsoft Managed Keys.
  • Storage options available in UK for data at rest.

Access & Identity Management

  • Multi-Factor Authentication (MFA) is enforced for all administrative access.
  • Role-Based Access Control (RBAC) ensures users only access necessary data.
  • Single Sign-On (SSO) & OAuth 2.0 integration with Microsoft and other identity providers.
  • IP Whitelisting: Available for customers who wish to restrict logins to specific IP addresses.

Compliance & Certifications

Ondox adheres to industry-leading security and privacy regulations, including:

  • ISO 27001 – International security management standard
  • Cyber Essentials – government-backed certification of protections in place against common cyber threats
  • SOC 2 Type II – Independent audit for security, availability, and confidentiality
  • CCPA Compliance – Ensuring data protection for North American customers

Data Privacy & Protection

  • Data Residency: Customer data is stored in the EU only (West and North Europe regions), unless there is a specific request to store documents at rest in the UK.
  • Data Processing Agreement (DPA): Available for customers requiring compliance documentation.
  • Regular Security Audits & Vulnerability Testing: Ondox undergoes independent penetration testing by a CREST-certified provider at least annually to identify and remediate potential security risks. Reports available for customers on request.

Logging & Monitoring

  • Security Logging: Comprehensive logs are collected, monitored, and stored for security event tracking and forensic analysis.
  • Log Retention: System and security logs are retained in accordance with compliance requirements.
  • 24/7 Security Monitoring & Alerts: Continuous monitoring for security threats and anomalies.

Availability & Business Continuity

  • 99.9%+ Uptime SLA backed by our resilient cloud architecture.
  • Automated Backups & Disaster Recovery: Regular data backups with geographically redundant storage.

Incident Response & Monitoring

  • 24/7 Security Monitoring: Continuous threat detection and logging.
  • Incident Response Plan: In place to quickly respond to and mitigate security threats.
  • Responsible Disclosure Policy: Security researchers can report vulnerabilities securely.

Security & Confidential Reporting

Information Security Incidents

All Information Security Incidents are managed in line with Lithe’s Information Security Management Policy. This policy along with all functions contributing are viewed annually in line with commitments to ISO27001 and SOC2 Type 2 Frameworks.

Raising an Information Security Incident – External into Lithe

Lithe acknowledges that Information Security Incidents are not always clear from the outset and therefore provide control measures for apparent and non-apparent events.

  • Non-apparent Information Security Incidents are often considered by the end user to be an Incident of another nature (For Example but not limited to, Access Control or Functionality). In such events these incidents should be raised to Lithe’s support team using the methods explained in Lithe’s support handover documentation.
  • Apparent – Clear and apparent Information Security Incidents are often Incidents where there is a clear perception or concern of a potential breach or omission of Security Procedures, Legislation or controls expected.

Where an Apparent Information Security Incident is Raised, these should be considered “Critical Incidents” and raised using the process described as critical incidents Lithe’s support hand over documentation.

Investigation

Upon receipt, discovery, or alert to any and all Information Security Incident (Perceived or Validated). Information Security Incidents are managed and controlled in line with Lithe’s Information Security Incident Process.

The steps of this process are detailed below:

  1. Incident received, discovered, or alerted.
  2. Incident raised to the Information Security Manager (In Absence the Chief Technology Officer).
  3. Incident reviewed and investigation started to gather information and validate incident in progress.
  4. Information Security Committee meeting is formed to review and analyse incident and findings.
  5. If resolve or remediation actions are required. Committee agrees owner and actions.
  6. If no resolve or remediation actions are required, the Committee agrees to the incident owner (Usually Information Security Manager).
  7. External Communication agreed by Committee members to affected parties and issued.
  8. Where actions are required, the Committee reviews and confirms close or agrees further actions to close the incident (Repeat until incident closes).
  9. Incident root cause completed.
  10. Incident lessons learned document produced and shared with committee members.
  11. Where Incident requires legislative or governing awareness (EG logged with the ICO) report completed.
  12. Incident closed on Lithe Risk Register

Lithe Communication

Lithe acknowledges communication during Information Security Incidents is important and acknowledge the need for communication to be accurate and enclose factual information where known.

Lithe commit to provide communication in the following variants during any Information Security Incident.

  • Incident acknowledgement
  • Confirmation of Incident being investigated
  • Confirmation of Information Security Committee expected time to resolve and investigate
  • Conclusion report (including root cause analysis and future actions if applicable) for all closed Information Security Incidents.

Confidential Information Security Incident Reporting

Lithe acknowledges that in some instances the raising of an Information Security Incident may need to be confidential. As such Lithe manages these occasions under Lithe’s whistleblowing policy.

Confidential Information Security Incidents should be raised by email to whistleblowing@ondox.ai. Upon receipt the steps detailed above are engaged.

**Lithe acknowledge the nature of confidential reporting, may mean the ability to communicate with all parties may be limited as all parties may not be known and will consider the communication steps for all impacted parties during the meeting of the Information Security Committee**

Got a question?

Talk to our experts in our live chat.

Live Chat