OnePlan is a Office 365 / Azure app. The app is installed in your Microsoft work management cloud experience. It uses the standard O365 app model. This means that authentication is all handled through your AD / AAD and follows all of your policies inherently.
The app is hosted in Azure and therefore has high availability and adheres to security best practices and certification requirements.
Data Tracking
OnePlan allows for tracking more data than what is stored in Office 365 (for example, high level resource planning info) and therefore does store some data. This data is also stored in Azure (Cosmos DB).
A “service account” is needed if connecting to a work management platform. The account will need admin access to the work management platform its connected to. The stored account credentials are encrypted using Azure Key Vault.
Encryption
All data is encrypted on transit via SSL using Digicert certificates (TLS 1.2). API keys / token based methods are used instead of user names and passwords where supported.
https://media.screensteps.com/attachment_assets/assets/003/951/583/original/OnePlan_Systems_Architecture_2020.11.25.pdf
Azure has a variety of certifications and is very secure. You can access more info here: https://www.microsoft.com/en-us/trustcenter/security/azure-security
View Microsoft SOC reports here: https://www.microsoft.com/en-us/trustcenter/compliance/soc
Penetration Testing
OnePlan uses Pentest-Tools.com for network penetration testing our applications to verify there are no unknown risks. We also utilize the Security Code Scan extension for Visual Studio to scan our source code for code level vulnerabilities. We follow OWASP standards. As changes are made to our application and / or network settings, we re-scan to verify no issues have been created. If a issue has been created we will resolve it before pushing it to production. If a issue is found in production, we will resolve it immediately.
Disaster Recovery
Disaster recovery for OnePlan is handled by Microsoft as we use Azure services (not servers) to host OnePlan. On top of what Microsoft does, we take nightly backups of all OnePlan data and store it in geo-replicated azure storage for 30 days. This helps in scenarios where data was accidentally deleted or changed, and you need to restore back to a certain point. For more information use the following link.
You can learn more about Azure disaster recovery here: https://docs.microsoft.com/en-us/azure/architecture/resiliency/disaster-recovery-azure-applications
Deleting Data
After any data is deleted, or you cancel your subscription, all of the data will be removed in 30 days (after the daily backups are deleted). Microsoft has policies on handling the actual physical drives that store the data.
Learn more about Microsoft's data management policies here: https://www.microsoft.com/en-us/trustcenter/privacy/data-management#section2
Personal Information
The OnePlan applications do not collect or retain any personal information regarding users of the solution. Our customers may elect to store some information in OnePlan about resources, such as skill sets, department names, etc., used when searching for resources to staff projects. This information remains under the control of the customer, is not accessible by OnePlan staff, and is easily removed by the customer administrative staff when required. Also, any personal data you choose to store in OnePlan will be stored in Azure Cosmos DB. Cosmos DB is GDPR (as well as many other certifications) compliant.
The attached file contains more information. It is a filled out CAIQ document (industry standard software security and risk assessment) with answers to common security questions.