Security & trust
We test you to a standard. Here’s ours.
It would be a strange security company that asked you to trust it on faith. This is what we’re accredited for, how we handle your data, and where to report a concern about us.
01AccreditationCREST-accredited. Engagements run to OWASP, PTES, and NIST methodology by certified operators. CREST status is verifiable; we name only what we can stand behind. Verify on the CREST registry ↗
02Compliance supportWe help you meet SOC 2, PCI-DSS, ISO 27001, HIPAA, and DORA testing expectations, and Incenter keeps coverage current between audits.
03Data handlingClient data is held to the minimum needed, access-controlled, audit-logged, and never exfiltrated to make a point. Data residency and retention terms are set in your agreement.
04Responsible disclosureA clear channel for reporting any security concern about OSec itself: email security@osec.com (also published in our
/.well-known/security.txt). We hold ourselves to the standard we test you against.