Optymyze Pte. Ltd. | Trust Center
Optymyze Trust Center. Designed for security. Built on enterprise trust.
Optymyze helps global organizations securely manage sensitive business processes, operational data, and enterprise workflows through secure architecture, operational safeguards, and industry-aligned compliance practices.
See compliance

Resources

Access security, compliance, governance, and architecture documentation relevant to evaluating the Optymyze platform and services.

Security and Trust

Enterprise-grade security controls, monitoring, governance, and operational safeguards designed to protect applications, infrastructure, and customer data.

Governance and compliance

Automated governance and compliance to control and continuously audit access to, use of and changes to users, roles, apps, data, processes and objects in the platform.

SOC1 Type 2 Report

Independent assessment of controls supporting operational integrity and financial reporting processes.

SOC2 Type 2 Report

Independent validation of security, availability, and confidentiality controls across the Optymyze platform and operations.

SonarSource Report

Independent source code quality and security analysis supporting secure development practices.

Penetration Testing Report

Independent penetration testing assessment evaluating external security posture and network resilience.

Subprocessors

Transparency into third-party providers supporting the hosting, operation, monitoring, and delivery of Optymyze cloud services.

AWS

Cloud infrastructure provider supporting secure hosting, scalability, availability, and data processing operations.

Office 365

Enterprise productivity, communication, collaboration, and documentation management services.

Entra ID

Identity and access management services supporting authentication and user access controls.

Monitoring

Continuously monitored by Secureframe

Compliance

Independent assessments, regulatory alignment, and assurance practices supporting enterprise security, privacy, governance, and operational compliance requirements.

SOC 1 Type 2

Independent assessment of controls supporting financial reporting processes.

SOC 2 Type 2

Independent validation of security and availability controls.

HIPAA

Practices supporting protected health information (PHI) safeguards.

GDPR

Privacy practices aligned to EU data protection requirements.

PIPEDA

Practices supporting Canadian privacy requirements.

CCPA

Practices supporting California consumer privacy requirements.

Third-Party Risk Exchange

Enterprise risk and security assessment information available through the ProcessUnity Global Risk Exchange.

Powered by ProcessUnity Global Risk Exchange
Fill out the form to access Optymyze's complimentary ProcessUnity Global Risk Exchange assessment report.

Risk Posture

Validated enterprise security posture supported by comprehensive controls, governance, and operational safeguards.

Control Frameworks

Security controls aligned to recognized frameworks and continuously assessed against enterprise requirements.

Continuous Assurance

Ongoing monitoring and external risk intelligence supporting operational resilience and cybersecurity readiness.

FAQs

Optymyze applies layered security controls designed to protect customer data across infrastructure, applications, access management, and operational processes. Security practices are continuously reviewed to support enterprise security, operational resilience, and evolving compliance requirements.
Yes. Optymyze supports role-based access controls designed to help organizations manage user permissions, operational segregation, controlled access to data, and enterprise governance requirements across business processes and workflows.
Optymyze supports enterprise authentication and identity management integrations to help organizations centralize user access management, strengthen authentication controls, and align with enterprise security standards.
Optymyze provides governance and auditability capabilities designed to support operational oversight, controlled change management, traceability, and enterprise accountability across platform activities and business processes.
Optymyze supports enterprise security review and third-party risk assessment processes through its Trust Center, security and compliance documentation workflows, and participation in the ProcessUnity Global Risk Exchange.
Optymyze supports operational resilience, governance, security oversight, auditability, and third-party risk management practices that help organizations address operational resilience expectations associated with the EU Digital Operational Resilience Act (DORA).
Optymyze uses a governed metadata-driven architecture designed to provide operational flexibility while supporting enterprise governance, controlled configuration management, auditability, and secure operational change processes.
Optymyze maintains security and operational practices aligned to recognized industry standards and enterprise security frameworks. Information regarding applicable certifications, compliance programs, and security practices is available through the Optymyze Trust Center.

Monitoring

Change Management

Baseline Configurations
Baseline configurations and codebases for production infrastructure, systems, and applications are securely managed.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems
Secure Development Policy
A Secure Development Policy defines the requirements for secure software and system development and maintenance.
Change Management Policy
A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.

Availability

Automated Backup Process
Full backups are performed and retained in accordance with the Business Continuity and Disaster Recovery Policy.
Uptime and Availability Monitoring
System tools monitors for uptime and availability based on predetermined criteria.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.

Organizational Management

Security Awareness Training
Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.
Information Security Policy
An Information Security Policy establishes the security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data.
Cybersecurity Insurance
Cybersecurity insurance has been procured to help minimize the financial impact of cybersecurity loss events.

Confidentiality

Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.
Access to Customer Data is Restricted
Access to, erasure of, or destruction of customer data is restricted to personnel that need access based on the principle of least privilege.
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.
Disposal of Customer Data
Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.
Retention of Customer Data
Procedures are in place to retain customer data based on agreed-upon customer requirements or in line with information security policies.

Vulnerability Management

Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.
Vulnerability Scanning
Vulnerability scanning is performed on production infrastructure systems, and identified deficiencies are remediated on a timely basis.
Third-Party Penetration Test
A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Incident Response

Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.
Incident Response Plan Testing
The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.

Risk Assessment

Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.
Vendor Risk Management Policy
A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.

Network Security

Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.
Endpoint Security
Company endpoints are managed and configured with a strong password policy, anti-virus, and hard drive encryption
Network Traffic Monitoring
Security tools are implemented to provide monitoring of network traffic to the production environment.
Logging and Monitoring for Threats
Logging and monitoring software is used to collect data from infrastructure to detect potential security threats, unusual system activity, and monitor system performance, as applicable.

Data Encryption

Encryption-in-Transit
Service data transmitted over the internet is encrypted-in-transit.
Encryption-at-Rest
Service data is encrypted-at-rest.
Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.

Security Transparency

Description of Services
Descriptions of the company's services and systems are available to both internal personnel and external users.
Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Communication of Critical Information
Critical information is communicated to external parties, as applicable.
Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Confidential Reporting Channel
A confidential reporting channel is made available to internal personnel and external parties to report security and other identified concerns.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.