Obo Risk Mitigation



Security Responsibilities

While security is the responsibility of all employees, the CTO is ultimately responsible for defining Obo security policies and operations. All security reviews, audits, scans, policy enforcement, and incident responses are driven by the CTO.


Security Policy & Training

Obo has policies for acceptable encryption, clean desk, email, passwords and customer data. In addition, every employee is required to attend an annual Obo Security training session provided by the CTO, and monitored by all Obo executive staff. All employee laptops are strictly monitored by the Obo asset management plan.


Secure Architecture

The Obo application is multi-tenanted. Data is always encrypted at rest or in flight. Obo utilizes AWS instances, with a RDS 256 bit AES encrypted database. We employ Auth0 to manage all Obo authentication (MFA, SSO, etc…). SonarQube scans Obo application code on every code release.


Application Security

OWASP Zap scans Obo production and staging environments after every release push. Periodic log inspections look for anomalies in application usage.


Incident Response Plans

Obo has an extensive Incident Response Plan (IRP) which defines responses for all common incidents which could affect Obo operations or Obo users (including security and data breach incidents).


Physical Security

Beyond the physical security provided by AWS, the Obo office enforces keycard access for all employees.


Cloud Security

Obo leverages AWS network security for all product environments (dev, QA, staging, demo, and production). All AWS instances have periodic patch reviews and installs during defined maintenance windows.



Obo customer data is only accessible by the Obo customer who owns the data. Obo does not have a ‘super-user’ method for viewing data stored in customer tenants. Obo may view data inside a customer’s tenant only after a user grants access to their account by sharing their username and password with a trusted Obo employee.