Security and Reliability

At OpenGov, we treat the security and reliability of our cloud platform and that of the data it hosts with utmost importance. Building that level of trust with our customers is a key priority for us. Learn about our extensive security and reliability practices and comprehensive compliance controls on this page. Contact us at  for additional information, reporting vulnerabilities, or any other concerns related to assurance of OpenGov’s cloud platform.

Security and Compliance:
A Shared Responsibility

OpenGov has structured the responsibility for security and compliance of its cloud platform such that it is shared between OpenGov, OpenGov’s Cloud Provider, and OpenGov’s customer. The sharing model leans heavily by design towards OpenGov and OpenGov’s Cloud Provider assuming most of the burden for secure operation of our platform, thereby greatly minimizing the concern vectors of our customers.

OpenGov uses infrastructure provided by the world’s leading Cloud Service Providers, and maintains strategic partnership with AWS, the industry-leading provider of cloud services. Note: for Security and reliability information related to Microsoft Azure, click here. OpenGov uses infrastructure provided by Amazon Web Services (AWS), the industry-leading provider of cloud services. AWS is responsible for protecting the infrastructure, which includes the hardware, software, networking, and facilities (data centers) that run AWS cloud services.

OpenGov uses a number of AWS cloud services such as EC2 and RDS for its applications. OpenGov has designed its security infrastructure and configuration using AWS-recommended security best practices. Additional security measures are taken for the OpenGov Permitting & Licensing product suite as described here.

OpenGov’s customers are responsible for controls around Identity and Access Management to interface with OpenGov’s authentication frameworks, and appropriately analyzing and assessing the sensitivity of the data that is fed to the platform. (See this for additional information about OpenGov’s expectations on customer data.)

SOC 2 and SOC 3

OpenGov has successfully passed SOC 2 audits. An independent auditor has evaluated our product, infrastructure and policies, and certified that we meet or exceed specific levels of controls and processes for the security of user data.

The latest SOC 2 type 2 report is available upon execution of NDA. Please contact for OpenGov’s SOC 2 report.

Click here to download our latest SOC 3 report.

Capabilities In Depth

physical-environmental

Physical and Environmental

The OpenGov Cloud platform is currently provisioned in the US East (Northern Virginia) Region of AWS. Within that Region, OpenGov uses multiple Availability Zones that are interconnected with each other using low latency, high-throughput, and highly-redundant networking. You can read more about AWS global infrastructure here.
 
OpenGov has purposefully built geo-isolation between its production and pre-production (e.g. dev/test) environments. Our pre-production environments are provisioned in the US West (Oregon) Region of AWS. OpenGov personnel do not have physical access to the data centers and as such OpenGov fully inherits the physical and environmental controls from AWS. You can read more about AWS’ data center controls here. Generally speaking, AWS infrastructure and cloud services are compliant with a number of industry-standard global frameworks such as CSA, ISO, and SOC and US frameworks such as NIST and FedRAMP. You can read more about AWS compliance programs here.

monitoring-alerting

Monitoring and Alerting

OpenGov employs a comprehensive approach to monitoring and alerting, ensuring the steadfast functionality of its platform and applications. This is achieved through a meticulously integrated suite of industry-standard monitoring and alerting services, covering critical aspects such as availability, performance, security, logging, and metrics. To bolster these efforts, OpenGov partners with a reputable managed security service provider, enhancing its capabilities in threat detection and incident response. This collaboration enables optimized processes and ensures that expert operational teams are on standby 24x7 to swiftly address any emerging issues or potential security breaches.

scale

Scale

OpenGov’s applications and infrastructure are designed to scale quickly and automatically in response to workloads, allowing us to provide steady and predictable performance to our customers. OpenGov can simply provision additional compute and storage based on the requirements of our customers.

data-protection

Data Protection

At OpenGov, safeguarding customer data is our top priority. We employ a multi-layered approach to ensure the utmost security of your information at every stage. Utilizing cutting-edge technology, we encrypt your data using AES 256 encryption at rest, ensuring that even if unauthorized access is gained, your information remains unintelligible and protected.

During transit, your data is shielded by TLS 1.2 encryption, guaranteeing that any communication between your device and our servers remains confidential and secure against interception. Additionally, we reinforce our defenses by leveraging Cloudflare as our web application firewall, providing an additional layer of protection against potential threats and malicious attacks.

OpenGov's databases use a multi-AZ deployment strategy to provide enhanced availability and durability. OpenGov captures regular backups and snapshots of its databases which are stored in regional data centers at a regular cadence to be used in the unlikely event of a data loss. Data is replicated in real-time to separate data centers across the AWS and Azure availability zones, which allows OpenGov to switch to a replicated database in the event of a data center or hardware fault, limiting data loss to one minute.

application-protection

Application Protection

Application services are configured to run in isolated namespaces and containers on the cluster hosts with strict resource limits that prevent an unexpected or malicious activity in one service from affecting others. A minimum number of replicas of each service is deployed for high availability.
 
OpenGov uses Continuous Integration (CI) and an industry-leading vulnerability analysis service to continuously and automatically scan its applications for vulnerabilities at every stage of their lifecycle, especially during pre-production. All code repositories are continuously scanned for known defects and vulnerabilities, and they’re scanned again when that code is compiled into binary artifacts for distribution.
 
Additionally, OpenGov commissions an industry-leading independent third-party to conduct a penetration test of its applications and infrastructure. This test is conducted at least once a year.

network-protection

Network Protection

An industry-leading Intrusion Detection Service (IDS) is in place for continuous monitoring across multiple concern vectors: vulnerability detection, file integrity monitoring, configuration auditing, and threat-correlation. A barebones, Linux-based operating system image is used on the hosts and is continuously monitored for vulnerabilities.
 
OpenGov uses a multi-tiered strategy for the protection of its cloud infrastructure. AWS Virtual Private Cloud (VPC) technology is used for isolation of compute instances and other resources. AWS Security Groups, a form of virtual firewall, are used for inbound and outbound traffic control. Protection against Distributed Denial of Service (DDoS) relies on AWS safeguards. Pre-production assets are protected using a VPN solution.

host-protection

Host Protection

Remote access to OpenGov’s production cluster is strictly limited to OpenGov’s Engineering personnel. Each access request is approved by management on an as-needed basis, is fully audited, and granted for a limited time. Multi-Factor Authentication (MFA) is required for remote access. AWS IAM is used for fine-grained access.

authentication

Authentication and Authorization

OpenGov provides centralized identity and authenticaion/authorization support across the OpenGov cloud and its various Suites. For those governments that wish to leverage their own Enterprise Identify Provider (IdP) for authentication, OpenGov supports integration with any SAML2 compliant IdP. OpenGov supports both IdP initiated and SP initiated authentication flows.

maintenance-upgrade

Service Maintenance and Upgrade

OpenGov platform updates (whether for hardware, software, performance, or scale) are hassle-free and transparent to our customers. We offer a high-level of predictability while at the same time providing a virtually continuous stream of new features and fixes.
 
Generally speaking OpenGov updates its applications every two weeks during off-business hours. The only times we make an exception to that is to deliver “hot fixes” for critical service issues. Regardless of the hour, our maintenance activities are performed without causing any downtime.
 
OpenGov applications use feature flags for controlled rollout of new features. Our releases are not monolithic in nature: we only deploy the set of services that need to change and can roll them back individually if needed. This allows us to isolate potential issues to a specific component of one application, and prevent it from affecting the update of other applications.
 
Our releases are performed using automated job pipelines and under the supervision of a group of “release managers” who are specifically trained to ensure a high-level of discipline in change management and risk mitigation.
 
Customers can subscribe to maintenance and incident notifications at our help center.

organizational

Organizational

OpenGov's Global Security Team is responsible for the strategy, compliance, and operational monitoring of our environment. In addition to our in-house staff, we partner with an industry-leading managed security service provider for extended 24/7 detection and monitoring.

OpenGov's security strategy is grounded in the NIST Cybersecurity Framework. Our mission is to make security easy while enabling the best security practices across our people, processes, and technology. OpenGov’s policies and procedures are based on NIST 800-53 recommended controls and we are audited annually for SOC2 compliance for 5 of our product suites. A third-party penetration test and risk assessment are conducted annually to test our controls and program efficacy.

All OpenGov personnel are required to complete comprehensive information security and data privacy training upon joining and at least once yearly. A robust security awareness and phishing assessment program is also in place to keep our team members aware of prevailing threats.

technology-partners

Technology Partners

OpenGov takes a comprehensive view of security and balances it with providing a first-rate solution to its customers by partnering with industry-leading vendors and solution providers. We hold our technology partners to high standards of security, prioritizing vendors that are SOC2 compliant and integrate with Okta. We carefully review their security practices and actively work with them to continuously improve the overall security of our platform.

verified

Accreditation

OpenGov is an accredited technology partner in AWS Government Competency Program. This program recognizes OpenGov for its technical proficiency and proven customer success in delivering mission-critical workloads and applications to government customers on AWS. OpenGov undergoes an in-depth capability review, which is independently performed by AWS using its in-house expertise, every 12 months. Among other things, the review centers around OpenGov solution architecture (see AWS Well-Architected) and solution security (see AWS Security Best-Practices).