Backup
What is the backup strategy in place?
Onomondo utilises AWS and other cloud-hosted services to perform regular and automated backups of our data. AWS Backup provides reliable, scalable, and secure backup solutions for our cloud resources, ensuring that our data is consistently protected and can be restored in case of an incident.
Backups are scheduled according to our data retention policies, with regular intervals that align with our business needs and compliance requirements. This ensures that we can recover data to a specific point in time, minimizing potential data loss.
Does Onomondo maintain offsite backups?
The Onomondo solution is hosted using Amazon Web Services PaaS.
Onomondo uses multi-site data centres with availability commitments to permit the resumption of Onomondo’s Services in the event of a disaster or partial outage at its primary data centre location.
Onomondo also maintains manual backups on local storage as an additional precaution. This approach ensures that, in the event of a total failure of cloud-managed services, we have a secure, offline backup available for recovery.
The local backups are securely stored, with restricted access to prevent unauthorized retrieval. We apply encryption and other security measures to protect the integrity and confidentiality of these backups
Business Continuity and Disaster Recovery
How do you ensure the continuity of the Onomondo platform?
The Onomondo Solution is deployed redundantly in primary and secondary AWS data centers in respective AWS data regions.
Onomondo has created Disaster Recovery plans to cover all four general scenarios: malicious incidents (third-party or insider threat), accidental incidents (human error), unavailability incidents (AWS outages that affect our product), or signalling incidents (signalling storms which affect our product). Onomondo’s business continuity plans are reviewed annually and updated, if necessary.
Do you perform disaster recovery tests?
Onomondo conducts testing of the business continuity and disaster recovery plans annually. Any issues identified during testing are resolved, and plans are updated accordingly. Testing of plans includes failing over a server and restoring backups.
What are the Recovery Time Objective and the Recovery Point Objective?
The Recovery Time Objective (RTO) for the Onomondo Platform is 24 hours.
The Recovery Point Objective (RPO) for the Onomondo Platform is 24 hours
Data Security
Is data encrypted at rest?
Data is encrypted at rest using AES 256.
Is data encrypted in transit?
Data is encrypted in transit using minimum TLS 1.2
How are encryption keys managed?
The key management of Service-Managed keys for data at rest encryption is performed by Amazon Web Services. The certificates used for data in transit encryption are managed using Amazon Web Services KMS by Onomondo and are subject to Onomondo’s cryptography policy.
Where is data stored?
Onomondo does not store any data onsite. Amazon Web Services data centres are used to host the services provided to customers. Storage is clustered into regions to enhance availability.
In addition to Amazon Web Services, other sub-processors store data in locations listed here.
Data may be processed and stored in sub-processing locations listed here.
What is the data retention for the data stored in the platform?
Customer data is deleted from the platform 90 after contract termination.
Identity and Access Management
How do users and administrators gain access to the application?
Onomondo supports and SSO on-boarding against Azure AD, ADFS, SAML2, WS federation, Google Authentication (OAuth 2.0), and Azure AD (OpenID Connect).
Does Onomondo Support SCIM?
No, Onomondo does not support SCIM.
Does Onomondo use Role Based Access Control?
Yes, please refer to this article on Onomondo’s knowledge base.
Is access logged?
Onomondo offers activity logs to all customers. These logs include:
- User management activity logs
- API request activity logs
- Web Sockets (WS) activity logs
- SIM VPN Sessions activity logs
These logs are available in the admin center of the customer’s tenant. To learn more about logs see here.
Incident Management
Does Onomondo have a defined cybersecurity incident management process?
In the event of such a Security Incident, Onomondo shall provide you with a detailed description of the Security Incident and the type of Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority.
Onomondo shall without undue delay (and in any event within seventy-two (72) hours) inform the affected customer in writing, whenever Onomondo reasonably believes that there has been an Information Security Incident.
Onomondo shall inform the customer with as many details as known at that time (and regularly update the customer thereafter in writing or by email followed by a written notification) setting out in reasonable detail, without limitation, the nature of the information compromised, threatened, or potentially compromised, the specific information compromised or potentially compromised and of all events which may adversely affect the Vendor’s ability to provide the Service.
Following such notification, Onomondo will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident.
Onomondo will assist and cooperate with affected customers with any necessary or appropriate disclosures and other investigative, remedial, and monitoring measures as a result of the security incident.
Does Onomondo have external reporting procedures in place for cybersecurity or privacy incidents?
Incident report is handled as part of our incident management process, whereby incidents impacting customers are reported to respective customers.
For privacy-specific incidents, the process is governed by the DPA to customers, and authorities are informed as required by the law.
How can incidents be reported?
Incidents can reported through Onomondo’s security@onomondo.com email.
What SLA is offered for the solution?
SLA: 99.9%, or 99.99% depending on commercial agreements.
Please see here to monitor our uptime.
Organizational Security
Does Onomondo have a cybersecurity awareness training program in place?
All employees and contractors receive mandatory general security training as part of their onboarding process. Additionally, mandatory training on security is provided annually, ensuring all employees and contractors possess at minimum knowledge that can be applied in context.
Does Onomondo have a department with oversight of information security?
The Information Security department at Onomondo is managed by the Head of Information Security. The department includes members dedicated to the areas of Technical Operations.
Does Onomondo perform background checks and screening prior to employment?
Employees whom require access to classified information undergo full background checks and information security clearance reviews with Denmark’s National Security and Intelligence Service (P.E.T.) as required by law.
Physical Security
How do you manage data center security?
Onomondo’s service data is hosted in AWS data centers. AWS supports 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-3, and NIST 800-171. Please refer to this link for more details.
The data center’s physical infrastructure is operated by AWS and we rely on their data center security controls.
Access controls are implemented, including biometric controls, CCTV is active across the data center perimeters and access points are staffed with security officers.
Please refer to this link for more details on the physical security measures implemented in Microsoft Azure data centers. We monitor the compliance of these controls through independent security attestations and reports.
Have you implemented physical security controls at your offices?
Onomondo maintains a physical and environmental policy for it’s office location to ensure the security and integrity of Onomondo’s facilities and the assets located within.
Onomondo’s office is fitted with industry-standard security protection systems, with secure access controls, burglary alarms, motion detectors, CCTV, etc.
Further, visitors to secure areas are required to; sign in and out upon arrival and departure, and are escorted while in secure areas at all times.
Personal Data Types
What types of personal data does Onomondo process on behalf of customers?
Personal Master Data (Key Personal Data): username and User ID (numeric ID), permission type, user creation data, name, address, email address, phone number, IP-address, when accessing the Supplier’s portal, phone data (International Mobile Equipment Identity, IMEI lock, international mobile subscriber identity, integrated circuit card identifier),
Contact Data of Client’s employees: Email-address, phone number, position, department, organizational assignment.
Categories of Data Subjects
The Categories of Data Subjects comprise: Customers
Does Onomondo process sensitive data?
Yes, Onomondo acts as a Mobile Virtual Network Operator (MVNO) towards multiple Radio Access Networks (RANs) globally and has the responsibility to handle all signalling and data packet transfers across its entire footprint.
Onomondo services can be used in many ways in the transmission of data on behalf of IoT devices; however from a privacy perspective, it is possible to restrict and govern the processing; the control is with appropriate customer admins and product designers.
Data subjects
Whose personal data does Onomondo process?
Onomondo primarily processes customer device data. Customer device designers may choose to transmit data relating to other subjects should they wish (as a consequence of the data they aggregate), or to invite partners or customers to the Onomondo Platform.
About the Processing
How Does Onomondo process customer personal data?
Onomondo’s end-users: Onomondo processes end-users’ personal data for authentication purposes only.
Onomondo’s customer’s end-users: Onomondo processes customer’s end-user data insofar as handling said data for the purposes of handling Onomondo’s customer’s end-user’s data. Data processed by Onomondo on behalf of a Customer is at the discretion of the Customer.
Data Processing Agreement
Is there a data processing agreement with customers?
Yes, please see a copy of Onomondo’s DPA available here.
Sub-Processors
Which sub-processors are in use for the services?
A full overview of sub-processors in Onomondo’s DPA available here.
Processors or Controller
Is Onomondo a data processor or a data controller?
Onomondo acts as a data processor.
Contact
How can customers contact Onomondo’s DPO?
Attn: Jacob Jagger Head of Information Security H.C. Hansens Gade 4 2300, Copenhagen S Denmark; privacy@onomondo.com
Law Enforcement Request
Does Onomondo have a transparency report?
Onomondo can provide updated information relating to law enforcement requests for customer information upon request. As of 31/05/2025, we have received the following requests:
| Type of Request | Number of Requests | Content Data Disclosed | Non-Consent Data Disclosed |
|---|---|---|---|
| Subpoena | 0 | 0 | 0 |
| Court Order | 0 | 0 | 0 |
| Search Warrant | 0 | 0 | 0 |
| Emergency Requests | 0 | 0 | 0 |