OpenGov Cloud Citizen Services Security and Reliability

At OpenGov, we treat the security and reliability of our cloud platform and that of the data it hosts with utmost importance. Building that level of trust with our customers is a key priority for us. Learn about our extensive security and reliability practices and comprehensive compliance controls on this page. Contact us at  for additional information, reporting vulnerabilities, or any other concerns related to assurance of OpenGov’s cloud platform.

Security and Compliance:
A Shared Responsibility

As is shown in the infographic below, OpenGov has structured the responsibility for security and compliance of its cloud platform such that it is shared between OpenGov, OpenGov’s Cloud Provider, and OpenGov’s customer. The sharing model leans heavily by design towards OpenGov and OpenGov’s Cloud Provider assuming most of the burden for secure operation of our platform, thereby greatly minimizing the concern vectors of our customers.

OpenGov Citizen Services uses infrastructure provided by Microsoft Azure, an industry-leading provider of cloud services trusted by thousands of companies and governments, including the California Department of Social ServicesFlorida Department of Environmental Protection, and the U.S. Air ForceAzure is responsible for protecting the infrastructure, which includes the hardware, software, networking, and facilities (data centers) that run Azure cloud services.

OpenGov uses a number of Azure Cloud Services such as Web Apps and Azure SQL for its applications. OpenGov has designed its security infrastructure and configuration using Azure-recommended security best practices.

OpenGov’s customers are responsible for controls around Identity and Access Management to interface with OpenGov’s authentication frameworks, and appropriately analyzing and assessing the sensitivity of the data that is fed to the platform. (See this for additional information about OpenGov’s expectations on customer data.)

Capabilities In Depth

physical-environmental

Physical and Environmental

The OpenGov Cloud platform is currently provisioned in the US East (Virginia) Region of Azure, which offers high speed and availability across the United States. See Azure’s web service SLA here.
 
OpenGov personnel do not have physical access to the data centers and as such OpenGov fully inherits the physical and environmental controls from Azure. You can read more about Azure’s data center controls here.
 
Generally speaking, Azure infrastructure and cloud services are compliant with a number of industry-standard global frameworks such as CSA, ISO, and SOC and US frameworks such as NIST and FedRAMP. You can read more about Azure compliance programs here.

scale

Scale

OpenGov’s applications and infrastructure are designed to scale quickly and automatically in response to workloads, allowing us to provide a steady and predictable performance to our customers. OpenGov can simply provision additional compute and storage based on the requirements of our customers.

monitoring-alerting

Monitoring and Alerting

OpenGov assures reliable operation of its platform and applications using a tightly-integrated suite of industry-standard monitoring and alerting services (e.g. for availability, performance, security, logging, and metrics). These services are supported by optimized processes and expert operational teams that are available 24x7.

data-protection

Data Protection

OpenGov supports HTTPS using Transport Layer Security (TLS), an IETF standard cryptographic protocol, to provide end-to-end communications security for data that is fed to our platform. TLS is widely used for “encryption-in-transit” scenarios in internet communications and online transactions (e.g. by financial institutions).
 
Data stored in the OpenGov platform is encrypted “at rest” in the databases and storage using AES-256 (Advanced Encryption Standard with 256-bit keys). The use of AES is approved by NIST in its FIPS 197 publication.
 
OpenGov Citizen Services' databases are customer-specific, allowing for complete isolation and protection of data between clients.

application-protection

Application Protection

Application services and databases are configured to run in elastic containers with strict resource limits that prevent an unexpected or malicious activity in one service from affecting others. A minimum number of replicas of each service is deployed for high availability, and service replicas will automatically increase with high traffic to maintain fast performance.
 
OpenGov uses Continuous Integration (CI) and an industry-leading vulnerability analysis service to continuously and automatically scan its applications for vulnerabilities at every stage of their lifecycle, especially during pre-production. All code repositories are continuously scanned for known defects and vulnerabilities.

host-protection

Host Protection

Remote access to OpenGov’s production cluster is strictly limited to OpenGov’s Engineering personnel. OpenGov Citizen Services uses Azure Managed App Services, which provide innate 24-hour malware protection.
 
Barebones, Linux-based or Windows-based operating systems are used on the hosts and is continuously monitored for vulnerabilities, and are seamlessly updated with security patches as soon as they are released.

authentication

Authentication and Authorization

OpenGov offers Single Sign-On (SSO) and platform-local authentication mechanisms to its customers. In the latter scenario, OpenGov Citizen Services leverages an industry-leading security platform for authentication. The Citizen Services product suite uses Role-Based Access Control (RBAC) to authorize authenticated users to access and manipulate subsets of application data.

maintenance-upgrade

Service Maintenance and Upgrade

OpenGov platform updates (whether for hardware, software, performance, or scale) are hassle-free and transparent to our customers. We offer a high level of predictability while at the same time providing a virtually continuous stream of new features and fixes.
 
Generally speaking, OpenGov updates its applications every two weeks during off-business hours. The only time we make an exception to that is to deliver “hotfixes” for critical service issues.
 
Our releases are generally performed using the blue / green deployment strategy for zero-downtime, easy-to-rollback releases.
 
Our releases are not monolithic in nature: we only deploy the set of services that need to change and can roll them back individually if needed. This allows us to isolate potential issues to a specific component of one application, and prevent it from affecting the update of other applications.
 
Our releases are performed using automated job pipelines and under the supervision of a “release manager” who is trained to ensure a high level of discipline in change management and risk mitigation.
 
Customers can subscribe to maintenance and incident notifications at our resource center, as outlined in, Keeping up with OpenGov.

organizational

Organizational

OpenGov’s policies and procedures are based on NIST 800-53 recommended controls. All OpenGov personnel are required to go through purpose-built information security and data privacy training upon joining and at least once yearly. Even though security is treated as a shared cross-functional responsibility, a dedicated operational team under the supervision of an Information System Security Officer oversees the entire security and compliance program at OpenGov.

technology-partners

Third-Party Vendors

OpenGov takes a comprehensive view of security and balances it with providing a first-rate solution to its customers by partnering with industry-leading vendors and solution providers. We hold our technology partners to high standards of security and carefully review their security practices and actively work with them to continuously improve the overall security of our platform.