Introduction

At ONTAB, we continuously strive to earn and maintain the trust of our users, clients and partners. We consider our access to user’s data both a privilege and a responsibility. We have, therefore, created policies and procedures to address the usage, management, and monitoring of such data, and maintain its security as one of the founding principles of the company.

In addition to safely housing our data, ONTAB takes various measures to protect and regulate customer data, as outlined here.

Risk Based Approach to Data Security

At ONTAB, we take a risk based approach to data security; firstly by understanding the inherent risk in our data management cycle including the collection, processing and storage of user data and secondly, by identifying the people, business processes and technologies that are involved in the data management cycle. 

Data Collection

Data is collected at ONTAB through our web portal and proprietary platform. The data is submitted when the user submits the information. This information is encrypted using TLS till we receive it on our servers. For PCI data, we use AES256 encryption standard to meet our PCI compliance obligation. We may ask individuals for additional non sensitive information (such as recent utility bills) by email to verify information already provided, however as we improve and automate our processes, there will be little to no human to human interaction in the collection of data.

Data Processing

At ONTAB, we process data for two main purposes: adjudication and risk classification. For the time being, we consider factors such as the applicants’ credit history, credit score, income and several other factors to decide whether an individual qualifies for a loan or not, and at what interest rate. We also collect data around user behaviour including loan repayment and delinquency to create models on risk associated with different segments of the population, risk mitigation and targeted marketing strategies.

Data Storage

ONTAB uses one of the world’s most popular and trusted cloud platforms, as well as a software development, deployment and operation cloud platform to maintain databases that host basic user information, as well as customers’ Personally Identifiable Information (PII). When selecting cloud platforms, we consider the reputation and credibility of service providers.

Further, our policy is to only work with cloud platforms that meet our strict security requirements and store data in North American or European servers; jurisdictions where security and privacy regulations are the most advanced in regards to consumer protection.

Website & Platform Security

At ONTAB, we encrypt all of our customer data and metadata using an industry standard TLS and AES-256 (PCI Data) encryption to ensure the safety of all data submitted on our website and platform.

Our websites: www.ontab.com and www.ontab.me use SSL Certificates to create an encrypted link between our web server and the web browser.

Furthermore, we use enterprise-class security solutions to monitor and protect our internal and external networks from online attacks and block malicious traffic.

Other Data Security Practices

ONTAB classifies and labels user data according to its importance and sensitivity. This establishes an understanding of data sensitivity and protection.

We also ensure strict access controls based on job function and requirement. Employee and contractor devices are also protected by a device management platform to authenticate, authorise, and manage users, devices, and applications.

All employees and contractors must complete an identity verification and criminal background check before working with ONTAB. Additionally, employees must sign an employment agreement and contractors are required to sign an NDA and confidentiality agreement.

ONTAB has also enacted strict physical location access control.

On the other hand, various security measures are put in place to ensure user access security.

Finally, ONTAB ensure regular audits are conducted by independent 3rd party consultants.

Security Training and Data Handling Guidelines 

Data Handling guidelines are included in training for all employees and contractors. Training is conducted when employees or contractors are onboarded, as well as on an annual basis.

Vulnerability Reporting

We ask our customers and members of the public to report vulnerabilities or security issues and concerns to our email address: security@ontab.com. Our teams also regularly escalate customer concerns around data security or issues identified to our Director, Risk and Compliance.

A Note about Privacy

ONTAB considers both privacy and security to be paramount to the establishment of trust in its products. We have created a publicly available privacy policy to address and surpass our requirements under Canada’s PIPEDA legislation. Although some policies and procedures may be duplicated, our Security policy is designed to protect ONTAB user’s data in addition to our privacy considerations.