[en] Your OneTrust account can be hosted in one of two ways: 1) with cloud hosting provided by OneTrust or 2) in a dedicated cloud environment managed by OneTrust. There are some differences and requirements of which you should be aware when you select a hosting option.
[en] OneTrust cloud hosting is provided by Microsoft Azure with localities in the United States, Canada, Brazil, United Kingdom, Europe, Australia, and Asia. Microsoft's cloud infrastructure has the following certifications and attestations: ISO/IEC 27001:2013, ISO 27017/27018, SSAE 16/ISAE 3402 SOC 1 Type 1 and Type 2, AT Section 101 SOC 2 and 3 Type 1 and Type 2, and FedRAMP certification and accreditation.
[en] OneTrust LLC’s Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified as reflected in the certificate found here: https://www.coalfirecertification.com/Certificates/OneTrust-ISO-27001-Certificate-Award_2-15-2022.pdf.
[en] OneTrust LLC’s Privacy Information Management System (PIMS) is the first in the world to become ISO/IEC 27701:2019 certified as reflected in the certificate found here: https://www.coalfirecertification.com/Certificates/OneTrust-ISO-27701-Certificate-Award_2-15-2022.pdf. The PIMS is comprised of components, network devices, and software that are operated by OneTrust employees within its defined system physically operating within the Microsoft Azure production accounts used to make OneTrust Privacy, Security, and Third-Party Risk software available to customers.
[en] OneTrust has completed a Type 2 SOC for Service Organizations (SOC 2 Type 2) examination as of February 27, 2020.
[en] Hosting Locations & IP addresses
[en] OneTrust cloud hosting is provided through Microsoft Azure in the following data center locations:
[en] The following table details the data center hosting locations and Admin Portal IP addresses for each OneTrust application environment. These IP addresses can be used to safelist communication from OneTrust in your network.
[en] The following table includes IP addresses that use Classless Inter-Domain Routing (CIDR) notation, such as 20.54.106.120/29. In CIDR notation, IP addresses are written as a prefix (20.54.106.120), followed by a suffix that indicates how many bits are in the entire address (29).
[en] For example, when 20.54.106.120/29 is mentioned, the IP addresses 20.54.106.120, 20.54.106.121, 20.54.106.122, 20.54.106.123, 20.54.106.124, 20.54.106.125, 20.54.106.126, and 20.54.106.127 should be safelisted. In another example, when 13.86.126.174/32 is mentioned, only the IP address 13.86.126.174 should be safelisted as 32 refers to a single IP address. You can use this subnet calculator to enter the CIDR IP address for additional details on the IP range.
Nota
[en] The OneTrust application provides multiple options to deliver email notifications, as detailed here. Based on your selected email server configuration, email notifications will be delivered in one of the following ways:
[en] For Custom SMTP Relay or Microsoft Exchange Online: Emails are sent from the OneTrust application to the customer's SMTP server or Microsoft Exchange server from the IPs listed in the table below. The customer's SMTP server or Microsoft Exchange server then delivers the email to the recipient (e.g. data subject, vendor, etc.).
-
[en] For Default Configuration or Send on Behalf of my Domain: Emails are delivered directly to the email recipient (e.g. data subject, vendor, etc.) via the OneTrust cloud email platform.
[en] The automated security of the OneTrust cloud email platform ensures that customers do not manage the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). The IP addresses used for email delivery are not published for this purpose, which therefore eliminates the need to rotate DKIM keys or update SPF for IP changes. If you require IP safelisting for email delivery within your internal teams, OneTrust recommends using the Custom SMTP Relay or Microsoft Exchange Online configuration.
Nota
[en] OneTrust added new Admin Portal IP addresses in the following table. If your network team safelists OneTrust IPs, you are encouraged to review and update your firewall.
[en] Web Scanner Locations & IP Addresses
[en] The following table details the Web Scanner Locations and IP addresses for each OneTrust application environment. These IP addresses can be used to safelist communication from OneTrust in your network.
[en] The following table includes IP addresses that use CIDR notation, such as 20.54.106.120/29. You can use this subnet calculator to enter the CIDR IP address for additional details on the IP range.
Importante
[en] Certain environments support the option to configure scans to originate from a hosting location either in North Europe or the Central US. The North Europe hosting location is available by default. The Central US hosting location is available upon request to enterprise licenses only.
[en] For more information, see Scanning a Website.
Nota
[en] OneTrust added new Web Scanner IP addresses in the following table. If your network team safelists OneTrust IPs, you are encouraged to review and update your firewall.
[en] Backups of Hosted Accounts
[en] Backups for cloud-hosted implementations are managed, performed, and tested by Microsoft Azure. Full backups are performed weekly; differential backups every 12-24 hours; and transaction log backups every 5 to 10 minutes. Azure also provides a 14-day backup to prevent against accidental data deletion. Backups are stored encrypted with Azure Transparent Data Encryption AES-256 and are tested regularly. All backups are stored at the secondary Azure data center paired with the primary data center.
[en] OneTrust Supported TLS Protocols
[en] The following table outlines the supported Transport Layer Security (TLS) protocols with applicable ciphers for OneTrust's cloud environments as of March 16, 2020:
[en] Convercent Hosting Options, Locations, & Backups
[en] Convercent, a OneTrust Affiliate, uses the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
[en] Hosting Options
[en] Your Convercent account can be hosted in one of two ways: 1) with cloud hosting provided by Convercent 2) in a dedicated cloud environment managed by Convercent.
[en] Convercent cloud hosting is provided by Microsoft Azure with localities in the European Union (Dublin, Ireland, or Amsterdam) or in the US (Seattle or Cheyenne).
[en] Hosting Locations and IP Addresses
[en] Convercent cloud hosting is provided through Microsoft Azure. Customers have a choice of choosing to store data in the following data center locations: in our EU hosted environment (Dublin, Ireland is primary, and Amsterdam is Disaster Recovery (DR) site) or our US hosted environment (Seattle is primary and Cheyenne is DR site).
[en] Backups of Hosted Accounts
[en] Backups for cloud-hosted implementations are managed, performed, and tested by Microsoft Azure. Private Convercent customer data is stored at the Microsoft-hosted data center facilities. Backup and retrieval of company data is important for our customers and therefore real-time data replication, daily backups, weekly backups, monthly backups and offsite storage are all part of the Convercent backup policy. All data is permanently purged from the backup servers after 365 days.
[en] Tugboat Logic Hosting Options, Locations, & Backups
[en] Tugboat Logic, a OneTrust Affiliate, uses the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
[en] Hosting Options
[en] Your Tugboat Logic account can be hosted in one of two ways: 1) with cloud hosting provided by Tugboat Logic 2) in a dedicated cloud environment managed by Tugboat Logic.
[en] Tugboat Logic cloud hosting is provided by Amazon Web Services (AWS) with localities in the United States (us-east-1 with backup in us-west-2), Europe (eu-central-1 with backup in eu-west-1), and Canada (ca-central-1).
[en] Tugboat Logic Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified as reflected in the certificate found here: https://resources.tugboatlogic.com/rs/471-GKD-174/images/Signed_FINAL_ISMS_Certificate_Tugboat.pdf
[en] Hosting Locations and IP Addresses
[en] Tugboat Logic cloud hosting is provided through AWS in the following data center locations:
[en] Backups of Hosted Accounts
[en] Backups for cloud-hosted implementations are managed and performed by AWS. Backups are tested by Tugboat Logic on a periodic basis. Backups are stored encrypted with AES-256.
[en] Planetly Hosting Options, Locations, & Backups
[en] Planetly, a OneTrust Affiliate, uses the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
[en] Hosting Options
[en] Your Planetly account can be hosted in a dedicated cloud environment managed by Planetly.
[en] Planetly cloud hosting is provided by Amazon Web Services (AWS) with locality in Germany.
[en] Hosting Locations and IP Addresses
[en] Planetly cloud hosting is provided through AWS in the following data center locations: Germany.
[en] Backups of Hosted Accounts
[en] Backups for cloud-hosted implementations are managed, performed, and tested by AWS. Backups are stored encrypted with AES-256.
[en] The following responses are supported solutions to frequently asked questions (FAQ) about the OneTrust application. The OneTrust team continuously monitors these inquiries and will make additional FAQ available as they are identified.
1. | [en] I performed a trace and see an IP address that looks like it is from a different location. Is this a performance issue? |
| [en] Our cloud hosting utilizes Cloudflare for performance and security. Cloudflare utilizes the Anycast routing method, which allows multiple machines to share the same IP address. Though it may look like the IP address is from a location other than the data center outlined, in reality, the requests you make will be directed to the machine in the data center closest to where you made the request. This allows requests to be routed using a faster and more reliable network path. |
2. | [en] What are the hosting options, locations, and backups for OneTrust Affiliates? |
|
[en] OneTrust Affiliates such as Convercent, Tugboat Logic, and Planetly implement the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
|
