Key Security Policies

Summary

Information Security and Physical Security

OAO policies dictate that information in all its forms – written, spoken, recorded electronically, or printed – will be protected from accidental or intentional unauthorized modification, destruction, or disclosure throughout its lifecycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.

Data Classification, Data Protection, and Encryption

Per OAO’s Data Protection Policy, data is classified per our Data Classification Policy, then sanitized according to its classification, the media used for storage, and the guidelines offered by NIST publications.

Individual systems and information are protected using the AES algorithm with a minimum key size of 256-bit. Cloud resources are configured to encrypt network communication using a secure protocol (HTTPS/TLS) and use strong ciphers (TLS/SSL) for data-in-transit encryption.

Physical and System Access Controls

Access to OAO systems and applications is limited for all users, including but not limited to company employees, contractors, vendors, and other authorized users of OAO's assets. Access by any other entity is allowable only on a minimum necessary basis.

OAO implements logical access security software, infrastructure, and architectures over protected information assets. Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed, and access is disabled when access is no longer required or the infrastructure and software are no longer in use.

Accordingly, we offer robust authentication and authorization options to our business and internal users, including SAML-based SSO. External administrators can leverage our self-service interface or work with our developers to integrate their identity provider.

Vendor Risk Management, Logging and Monitoring, and Threat Detection

OAO makes every effort to ensure all third-party organizations (including cloud service providers) are compliant and do not compromise the integrity, security, and privacy of OAO or its customer data. Third parties include customers, partners, subcontractors, and contracted developers.

OAO requires frequent monitoring and maintenance of audit trails to effectively assess information system controls, operations, and general security. Controls have been implemented to detect and alert in the event of real-time suspicious or anomalous activity, including network traffic, that may indicate threat actor activity.

Furthermore, risk assessment and risk treatment are applied to the entire scope of OAO’s information security program, as well as to assets used within OAO or assets that could impact our information security.

Incident Response

A key objective of OAO’s Information Security Program is to focus on detecting information security weaknesses and vulnerabilities so that incidents and breaches can be prevented wherever possible. OAO is committed to protecting its employees, customers, and partners from illegal or damaging actions taken by others, either knowingly or unknowingly. Despite this, incidents and data breaches may occur; when they do, OAO is committed to rapidly responding to them, which may include identifying, containing, investigating, resolving, and communicating information related to the breach.

Per our Incident Response Policy, OAO has established controls to ensure the detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. Instructions for security incident response include definitions, procedures, responsibilities, metrics, and reporting mechanisms. Procedures used in response to security events require annual testing.

All users must report any perceived or actual information security vulnerability or incident as soon as possible using the contact mechanisms prescribed in this document. In addition, OAO employs automated scanning and reporting mechanisms that can be used to identify possible information security vulnerabilities and incidents. If a vulnerability is identified, it must be resolved within a set period of time based on its severity. If an incident is identified, it must be investigated within a set period of time based on its severity. If an incident is confirmed as a breach, a set procedure must be followed to contain, investigate, resolve, and communicate information to employees, customers, partners, and other stakeholders.

Disaster Recovery

Per our Business Continuity Policy, OAO has defined and documented a plan and process for business continuity, including the backup and recovery of systems and data. The Business Continuity Plan is simulated and tested at least once a year. Metrics are measured to identify recovery enhancements. Enhancements are then sent to our ticketing system to improve the process. During all Business Continuity Plan activities and disruptions, security controls and requirements are maintained at primary and alternate/backup sites.

OAO has a documented Disaster Recovery Plan that outlines roles, responsibilities, and detailed procedures for recovery of systems in the event of a disaster scenario. OAO’s Security Team validates the Disaster Recovery Plan on an annual test schedule to ensure the implementation of the tests. This process also serves as training for personnel involved in the plan's execution. Annual exercises include tabletop and technical testing.

Backups

At a minimum, Vendor shall, at no additional cost to Customer: (i) perform (1) nightly database backups to a backup server, (2) incremental database transaction log file backups every 30 minutes to a backup server, (3)  weekly full backups of all of Customer’s data hosted by Vendor and the default path to a backup server, and (4) nightly incremental backups of the default path to a backup server; and (ii) replicate Customer’s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.  In the event of data loss, Vendor shall regenerate the lost data, at Vendor’s expense, as soon as practicable from the date Vendor is notified, or becomes aware, of the loss.

Appendix

Information Security Policy

Purpose

OAO's Information Security Policy has been developed to establish a general approach to information security and the minimization of information misuse, compromise, or loss; document security processes and measures; uphold ethical standards and meet the company's regulatory, legal, contractual, and other obligations; control business risk; and ensure that the appropriate company image and reputation is presented.

Scope

This policy applies to:

  • Information in any form, regardless of the media on which it is stored, as well as, any facility, system, or network used to store, process, and transfer information.

  • All OAO employees, temporary staff, partners, contractors, vendors, suppliers, and any other person (collectively also referred to as “Staff” or “Personnel”) or entity that accesses the company's networks or any other public or private network through the company's networks or systems.

  • All activity while using or accessing the company's information or information processing, storage, or transmission equipment, while on the company premises (owned, rented, leased, or borrowed) or remotely.

  • Information resources that have been entrusted to the company by any entity external to the company (i.e. Customers, Staff, and others).

  • Documents, messages, and other communications created on or communicated via the company systems are considered the company's business records and, as such, are subject to review by third parties in relation to audits, litigation, process improvement, and compliance.

Background

This policy is the overarching policy over the rest of the security policies, which make up the company's information security program (ISP). The series of security policies includes:

  • Acceptable Use Policy

  • Asset Management Policy

  • Backup Policy

  • Business Continuity/Disaster Recovery Plans

  • Change Management Policy

  • Code of Conduct

  • Data Classification, Retention, and Protection Policies

  • Encryption and Password Policies

  • Incident Response Plan

  • Logging and Monitoring Policy

  • Network Security Policy

  • Physical Security Policy

  • Policy Waiver Process

  • Responsible Disclosure Policy

  • Risk Assessment Policy

  • Social Media Policy

  • Software Development Life Cycle Policy

  • System Access Management Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

Information Security Objectives

It is the policy of OAO that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life-cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information. Ultimately, the information security goal of OAO is to maintain:

  • Confidentiality: data and information are protected from unauthorized access

  • Integrity: Data is intact, complete and accurate

  • Availability: IT systems are available when needed

OAO's information security objectives, consistent with the company's information security program are:

  • To protect information from all internal, external, deliberate, or accidental threats;

  • To enable secure information sharing;

  • To encourage consistent and professional use of information;

  • To ensure clarity about roles and responsibilities associated with protecting information;

  • To ensure business continuity and minimize business damage; and,

  • To protect the company from legal liability and the inappropriate use of information.

Roles and Responsibilities

Security Team comprised of the following:

  • Technology Executive is responsible for the entire Information Security Program.

  • Bright Defense (vendor) is responsible for reviewing, monitoring, and ensuring continuous compliance.

  • Technology Department and HR are responsible for monitoring and enforcing the policies and procedures.

Policy Review

At a minimum on an annual basis, OAO's Management and key personnel will discuss, evaluate, and document the company's information security policy, ensuring strategic goals and objectives are continually being developed.

At a minimum on an annual basis, all security policies will be reviewed, modified and/or edited to meet necessary security standards. All policies will be signed and approved by authorized personnel.

Accessibility

Policies and/or procedures will be made accessible to employees for review at all times via the compliance automation SaaS, Drata.

Exceptions

Requests for any exceptions to any policies included within the ISP must be approved by OAO's Management after proper review. Any approved exceptions will be reviewed annually.

All policy waiver requests must be submitted in writing to security@adops.com.

The reason for the waiver, the timespan during which the waiver applies, and any related documentation must be provided at the time of the request.

Policy

Personnel Security

All personnel will be required to acknowledge in writing their understanding of the Information Security Policy, the Code of Conduct, and other topic-specific policies based on their job function during onboarding and annually thereafter. New hire onboarding will be completed within 30 days of hire.

Background checks will be conducted on candidates for employment (employees, temporary personnel, and third parties as deemed necessary) prior to hire using a third-party service provider and in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements. The HR/People team will retain records of the background checks.

Management will evaluate candidates for employment through a formal interview process. The process may include verification of academic and professional qualifications, identity verifications, validation of references, technical interviews, or other steps as deemed applicable based on the job position.

Training

Management will ensure that employees, contractors, and third-party users:

  • Are properly briefed on their information security roles and responsibilities prior to being granted access to covered information or information systems;

  • Are provided with guidelines which state security expectations of their role within the organization;

  • Are regularly notified of security changes and updates, as well as reminded of security responsibilities to be undertaken, via annual security awareness training and annual policy acknowledgements;

  • Are motivated and comply with the security policies of the organization;

  • Achieve a level of awareness on security relevant to their roles and responsibilities within the organization;

  • Conform to the terms and conditions of employment, which includes the organization's information security policy and appropriate methods of working.

All new hires are required to complete information security awareness training as part of their new employee onboarding process and annually thereafter. Ongoing training will include security and privacy requirements as well as training in the correct use of information assets and facilities. Records to evidence completion of training for all personnel will be retained. The periodic security awareness training will be supplemented with multiple methods of communicating awareness and educating personnel as deemed necessary by management, such as newsletters, web-based training, in-person training, periodic phishing simulations, etc.

The organization will properly communicate to its workforce and, if appropriate, contractors:

  • Security updates, changes, and incidents, as needed, via email or #security Slack channel.

  • Reminders for security responsibilities as part of the annual security awareness training.

In addition, consistent with assigned roles and responsibilities, incident response, and contingency training to personnel will be provided annually.

Users may also be trained on the following topics:

  • Phishing Simulation Training

  • Secure Coding Training

  • Data Protection and Privacy Courses

  • Employee Online Safety

  • Regular Updates on the Latest Threats and Security Protocols

  • Continual Education and Updates

Intellectual Property Rights

OAO takes handling and safeguarding of intellectual property very seriously. Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licenses.

To ensure this the following procedures will be maintained:

  • Software will only be acquired through known and reputable sources, to ensure that copyright is not violated.

  • An asset inventory will identify all assets with requirements to protect intellectual property rights.

  • Proof and evidence of ownership of licenses, master disks, manuals, etc. will be maintained.

  • Review of the asset inventory will also make sure that only software and licensed products are installed.

  • Will ensure compliance with terms and conditions for software and information obtained from public networks

Information Security Requirements Analysis & Specifications

OAO will identify its information security requirements through utilizing different methods, ensure the results of the identification are documented and reviewed by all stakeholders, and will integrate the requirements and associated processes in early stages of projects.

Methods

  • Policies and regulations

  • Threat modeling

  • Incident reviews

  • Use of vulnerability thresholds

Factors

  • Level of confidence required towards the claimed identity of users, in order to derive user authentication requirements.

  • Access provisioning and authorization processes, for business and privileged or technical users.

  • Informing users and operators of their duties and responsibilities.

  • Protection needs of assets, especially in terms of availability, confidentiality, integrity.

  • Business processes (e.g., transaction logging and monitoring, non-repudiation requirements).

  • Other security controls (e.g. interfaces to logging and monitoring or data leakage detection systems).

Employment Terms and Conditions

The following terms and conditions of employment at OAO are the contractual obligations for employees or contractors for the safeguarding of information. They include, but are not limited to:

  • Signing a confidentiality or non-disclosure agreement (NDA) prior to access to confidential information and processing facilities.

  • Legal responsibilities and rights, particularly concerning intellectual property.

  • Responsibilities for the classification of information and management of organizational assets associated with information, information processing facilities and information services handled by an employee or contractor.

  • Responsibilities for handling of information received from third parties.

  • Reviewing and agreeing with the security policies of the company.

  • Duration of responsibilities beyond end of employment.

  • Actions to be taken for non-compliance with the terms and conditions, and the company's security policies.

Disciplinary Process

OAO's discipline policy and procedures are designed to provide a structured corrective action process to improve and prevent a recurrence of undesirable employee behavior and performance issues. It has been designed to be consistent with OAO cultural values, Human Resources (HR) best practices, and employment laws.

OAO reserves the right to combine or skip steps depending on the facts of each situation and the nature of the offense. The level of disciplinary intervention may also vary. Some of the factors that will be considered are whether the offense is repeated despite coaching, counseling, or training, the employee's work record, and the impact the conduct and performance issues have on the organization.

Step 1: Verbal Warning and Counseling

This initial step creates an opportunity for the immediate supervisor to schedule a meeting with an employee to bring attention to an existing performance, conduct or attendance issue. The supervisor should discuss with the employee the nature of the problem or the violation of company policies and procedures. The supervisor is expected to clearly describe expectations and the steps the employee must take to improve performance or resolve the problem.

Step 2: Formal Written Warning

If the employee does not promptly correct any performance, conduct or attendance issues that were identified in Step 1, a written warning will become formal documentation of the performance, conduct, or attendance issues and consequences. The employee will sign a copy of the document to acknowledge receipt and understanding of the formal warning. During Step 2, the immediate supervisor and HR representative will meet with the employee to review any additional incidents or information about the performance, conduct or attendance issues as well as any prior relevant corrective action plans. Management will outline the consequences for the employee of his or her continued failure to meet performance or conduct expectations.

A formal performance improvement plan (PIP) requiring the employee's immediate and sustained corrective action will be issued after a Step 2 meeting. A warning outlining that the employee may be subject to additional discipline up to and including termination if immediate and sustained corrective action is not taken may also be included in the written warning.

Step 3: Suspension and Final Written Warning

There may be performance, conduct, or safety incidents so problematic and harmful that the most effective action may be the temporary removal of the employee from the workplace. When immediate action is necessary to ensure the safety of the employee or others, the immediate supervisor may suspend the employee pending the results of an investigation. Suspensions that are recommended as part of the normal progression of this progressive discipline policy and procedure are subject to approval from a next-level manager and HR.

Step 4: Recommendation for Termination of Employment

The last step in the progressive discipline procedure is a recommendation to terminate employment. Generally, OAO will try to exercise the progressive nature of this policy by first providing warnings, a final written warning or suspension from the workplace before proceeding to a recommendation to terminate employment. However, OAO reserves the right to combine and skip steps depending on the circumstances of each situation and the nature of the offense. Furthermore, employees may be terminated without prior notice or disciplinary action.

Management's recommendation to terminate employment must be approved by HR and the supervisor's immediate manager. Final approval may be required from the CEO.

Performance and Conduct Issues Not Subject to Progressive Discipline

Behavior that is illegal is not subject to progressive discipline, and such behavior may be reported to local law enforcement authorities. Theft, substance abuse, intoxication, fighting and other acts of violence at work are grounds for immediate termination.

Enforcement

OAO Management, under the explicit authority granted by the company CEO, retains the authority and responsibility to monitor and enforce compliance with this Policy and other policies, standards, procedures, and guidelines. Monitoring activities may be conducted on an on-going basis or on a random basis whenever deemed necessary by Management and may require investigating the use of the Company's information resources. The company reserves the right to review any and all communications and activities without notice.

OAO will take appropriate precautions to ensure that monitoring activities are limited to the extent necessary to determine whether the communications or activities are in violation of Company policies, standards, procedures, and guidelines or in accordance with normal business processing performance or quality activities.

Violation of the controls established in this Policy is prohibited and will be appropriately addressed. Disciplinary actions for violations may include verbal and/or written warnings, suspension, termination, and/or other legal remedies and will be consistent with our published HR standards and practices.

Cloud Computing

Cloud Services

OAO will take the following into account for information security in cloud computing:

  • Information stored in its cloud computing environment may be accessed and managed by cloud service providers. 

  • Assets, such as application programs, could be maintained within the cloud computing environment.

  • Processes may run on multi-tenant, virtualized cloud service platforms.

  • The specific context of cloud service users and the circumstances surrounding the usage of the cloud service. 

  • Administrators who have privileged access to the cloud service.

  • Geographical locations of the cloud service provider's organization and where customer data might be stored, even temporarily.

Incident Response Policy

Purpose

This security incident response policy is intended to establish controls to ensure the detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. This document also provides implementing instructions for security incident response, including definitions, procedures, responsibilities, and performance measures (metrics and reporting mechanisms).

Scope

This policy applies to all users of information systems within OAO. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by OAO (hereinafter referred to as “users”). This policy must be made readily available to all users.

Background

A key objective of OAO’s Information Security Program is to focus on detecting information security weaknesses and vulnerabilities so that incidents and breaches can be prevented wherever possible. OAO is committed to protecting its employees, customers, and partners from illegal or damaging actions taken by others, either knowingly or unknowingly. Despite this, incidents and data breaches are likely to happen; when they do, OAO is committed to rapidly responding to them, which may include identifying, containing, investigating, resolving, and communicating information related to the breach.

This policy requires that all users report any perceived or actual information security vulnerability or incident as soon as possible using the contact mechanisms prescribed in this document. In addition, OAO must employ automated scanning and reporting mechanisms that can be used to identify possible information security vulnerabilities and incidents. If a vulnerability is identified, it must be resolved within a set period of time based on its severity. If an incident is identified, it must be investigated within a set period of time based on its severity. If an incident is confirmed as a breach, a set procedure must be followed to contain, investigate, resolve, and communicate information to employees, customers, partners and other stakeholders.

Within this document, the following definitions apply:

  • Information Security Vulnerability:
    A vulnerability in an information system, information system security procedures, or administrative controls that could be exploited to gain unauthorized access to information or to disrupt critical processing.

  • Information Security Incident:
    A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of information security policy.

  • Information Security Event
    An occurrence or change in the normal behavior of systems, networks, or services that may impact security and organizational operations (e.g., possible compromise of policies or failure of controls).

Roles and Responsibilities

Security Team comprised of the following:

  • Technology Executive is responsible for the entire Information Security Program.

  • Bright Defense (vendor) is responsible for reviewing, monitoring, and ensuring continuous compliance.

  • Technology Department and HR are responsible for monitoring and enforcing the policies and procedures.

Policy

  • All users must report any system vulnerability, incident, or event pointing to a possible incident to the Security Officer as quickly as possible but no later than 24 hours.

  • Incidents must be reported by sending an email message with details of the incident.

  • Users must be trained on the procedures for reporting information security incidents or discovered vulnerabilities, and their responsibilities to report such incidents. Failure to report information security incidents shall be considered to be a security violation and will be reported to the Human Resources (HR) Manager for disciplinary action.

  • Information and artifacts associated with security incidents (including but not limited to files, logs, and screen captures) must be preserved appropriately in the event that they need to be used as evidence of a crime.

  • All information security incidents must be responded to through the incident management procedures defined below.

Periodic Evaluation

It is important to note that the processes surrounding security incident response should be periodically reviewed and evaluated for effectiveness. This also involves appropriate training of resources expected to respond to security incidents, as well as the training of the general population regarding OAO's expectation for them, relative to security responsibilities. The incident response plan is tested annually.

Procedure For Establishing Incident Response System

  • Define on-call schedules and assign an Information Security Manager (ISM) responsible for managing incident response procedures during each availability window.

  • Define a notification channel to alert the on-call ISM of a potential security incident. Establish a company resource that includes up-to-date contact information for on-call ISM.

  • Assign management sponsors from the Technology Executive, Technology Department, and HR groups.

  • Distribute Procedure For Executing Incident Response to all staff and ensure up-to-date versions are accessible in a dedicated company resource.

  • Require all staff to complete training for Procedure For Executing Incident Response at least once per year.

Procedure For Executing Incident Response

  • When an information security incident is identified or detected, users must notify their immediate manager within 24 hours. The manager must immediately notify the ISM on call for proper response. The following information must be included as part of the notification:

    • Description of the incident

    • Date, time, and location of the incident

    • Person who discovered the incident

    • How the incident was discovered

    • Known evidence of the incident

    • Affected system(s)

  • Within 48 hours of the incident being reported, the ISM shall conduct a preliminary investigation and risk assessment to review and confirm the details of the incident. If the incident is confirmed, the ISM must assess the impact on OAO and assign a severity level, which will determine the level of remediation effort required:

    • Critical/High: the incident is potentially catastrophic to OAO and/or disrupts OAO’s day-to-day operations; a violation of legal, regulatory, or contractual requirements is likely.

    • Medium: the incident will cause harm to one or more business units within OAO and/or will cause delays to a business unit’s activities.

    • Low: the incident is a clear violation of organizational security policy but will not substantively impact the business.

  • The ISM, in consultation with management sponsors, shall determine appropriate incident response activities to contain and resolve incidents.

  • The ISM must take all necessary steps to preserve forensic evidence (e.g. log information, files, images) for further investigation to determine if any malicious activity has taken place. The collection of evidence will be managed by appropriate members with proper understanding and training in forensic evidence collection. In the absence of such members, certified third-party professionals will be used. All such information must be preserved and provided to law enforcement if the incident is determined to be malicious.

  • If the incident is deemed as High or Medium, the ISM must work with the VP Brand/Creative, General Counsel, and HR Manager to create and execute a communications plan that communicates the incident to users, the public, and others affected.

  • The ISM must take all necessary steps to resolve the incident and recover information systems, data, and connectivity. All technical steps taken during an incident must be documented in OAO’s incident log, and must contain the following:

    • Description of the incident

    • Incident severity level

    • Root cause (e.g. source address, website malware, vulnerability)

    • Evidence

    • Mitigations applied (e.g. patch, re-image)

    • Status (open, closed, archived)

    • Disclosures (parties to which the details of this incident were disclosed to, such as customers, vendors, law enforcement, etc.)

  • After an incident has been resolved, the ISM must conduct a post-mortem that includes root cause analysis and documentation of any lessons learned.

    • In the event that the incident involves the breach of sensitive privacy data (e.g., PII), (1) an assessment will also be conducted to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected parties; (2) all affected parties and appropriate organizations (e.g., Law Enforcement) will be notified; and (3) every effort will be made to mitigate the harm to affected parties.

  • Depending on the severity of the incident, the President of the company may elect to contact external authorities, including but not limited to law enforcement, private investigation firms, and government organizations as part of the response to the incident.

  • The ISM must notify all users of the incident, conduct additional training if necessary, and present any lessons learned to prevent future occurrences. Where necessary, the HR Manager must take disciplinary action if a user’s activity is deemed as malicious.

Disaster Recovery Policy

Purpose

To protect the confidentiality, integrity, and availability of data, both for OAO and OAO’s customers, complete backups are performed daily to ensure that data remains available when it’s needed and in the case of a disaster.

Policy

OAO policy requires that:

  • Data should be classified at the time of creation or acquisition according to the Data Classification Policy

  • An up-to-date inventory and data flow map of all critical data are maintained.

  • All business data should be stored or replicated into a company controlled repository, including data on end-user computing systems.

  • Data must be backed up according to its level defined in Data Classification Policy.

  • Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically,

    • Data and records belonging to OAO customers must be retained per OAO product terms and conditions and/or specific contractual agreements.

    • By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified by OAO’s Data Classification Policy, specific regulations, or contractual agreement.

Backup and Recovery

Customer Data

OAO stores customer data in a secure production account in Google Cloud, using a combination of two GCP projects: Schubert Suite and iadops-prod databases. By default, Google Cloud provides durable infrastructure to store important data and is designed for the durability of 99.999999999% of objects.

OAO performs automatic backups of all customer and system data to protect against catastrophic loss due to unforeseen events that impact the entire system. An automated process will back up all data to a separate region in the same country (e.g. US East to US West). By default, data will be backed up daily. The backups are encrypted in the same way as live production data. Backups are monitored and alerted by Google Cloud Monitoring. Backup failures trigger an incident by alerting the Technology Department. 

Source Code

OAO stores its source code in Git repositories hosted by GitHub. Source code repositories are backed up to OAO’s Google Cloud account on a daily basis. In the event that GitHub suffers a catastrophic loss of data, source code will be restored from the backups in Google Cloud.