WIXLIB

Standard FeaturesStandard FeaturesImportant: OpenAir is not intended to store personal information such as social securitynumbers or government ID numbers. The following security features are not natively supportedas they fall out of OpenAir’s intended scope: Anonymization Pseudonimization Truncation TokenizationCustomers are responsible for ensuring that their end users do not inappropriately store personalinformation in the OpenAir application.This section reviews the following standard security features: Encryption Masking TLS Protocol and Cipher Suites Availability Data Control Privacy ConsiderationsThese are inherent product security and privacy features that require little or no configuration. Forsecurity controls requiring configuration, see Configuration and Security Features chapters.EncryptionOpenAir uses the following cryptographic measures to ensure the security of your data. OpenAir web services are protected by HTTPS over TLS. All data is encrypted in transport. OpenAir Production and Disaster Recovery data centers use the Advanced Encryption Standard (AES)algorithm with 256-bit encryption to encrypt data at rest. The Automatic Backup Service (ABS) allows customers to set up a regular delivery of their OpenAiraccount data to an email address or SCP/SFTP server. The data is compressed as a ZIP file and can bePGP-encrypted for additional security. See Automatic Backup Service. User passwords stored in the database are one-way hashed using BCrypt.MaskingPassword values are masked as they are typed. This includes built-in password fields as well as passwordcustom fields and script parameters.Form permissions can be used to control what information is captured on many OpenAir entity forms.The information captured can be conditional on selected field values. This functionality can be applied toboth standard fields and custom fields. See Form Permissions Overview and Permission Rules.Security Guide2

Standard FeaturesThe Hide personal user information on reports internal feature can be used to hide information such asaddresses and phone numbers in timesheet reports. To enable this feature, contact OpenAir CustomerSupport.TLS Protocol and Cipher SuitesThe Transport Layer Security (TLS) protocol is an established method for ensuring private, trustworthy,and reliable communication between computer programs over a network. Computer programs use theHTTPS protocol to establish communication with each other using the TLS encryption protocol. Afterthe computers have agreed on which cipher to use, authenticated each other, and selected a methodto ensure reliable communication, they agree to communicate. This exchange is known as the TLShandshake.Each new version of the TLS protocol enhances these qualities. TLS 1.2 is the version currently supportedfor use in OpenAir. All inbound and outbound secure communication must use TLS 1.2.Supported Cipher SuitesOpenAir currently supports the following cipher suites TLS ECDHE RSA WITH AES 128 GCM SHA256 TLS ECDHE RSA WITH AES 256 GCM SHA384 TLS DHE RSA WITH AES 256 GCM SHA384 TLS DHE RSA WITH AES 128 GCM SHA256Important: The list of supported ciphers is subject to change at any time. It is yourresponsibility to be aligned with the highest possible level of security available in the industry. Thisapplies to: Browser access — Users should update to the latest browser versions and OS versions toensure they are using up to date ciphers. Integration client access —IT/Technical teams need to be sure connections from anyintegration tools have supported ciphers enabled.AvailabilityOpenAir Service Level Commitment guarantees a 99.5% uptime (outside of scheduled service windows)for the OpenAir production applications for all customers.The following site may be used to check the OpenAir system status at any time: https://status.openair.com. This site is available even if the OpenAir web application is experiencing a serviceinterruption or downtime.All OpenAir accounts in all environments are hosted in Oracle Cloud Infrastructure (OCI). For moreinformation about OCI, see https://cloud.oracle.com/iaas/architecture. In OCI, data is backed up using theOCI Gold policy.Security Guide3

Standard FeaturesA secondary data center in California provides disaster recovery and failover capabilities should theprimary data center become non-operational. The secondary data center will eventually replaced byanother region in OCI.OpenAir has an SSAE 18 (SOC1/SOC2)/ISAE 3402 Type II audit conducted annually and a report preparedby an accredited third-party external auditor. The report contains information on policies, procedures,and controls relevant to data backups, offsite storage, restore, system availability, and uptime. A copy ofthe report can be provided to customers on request.For reference, see the Service level commitment for the OpenAir Service, the Terms of Services and OracleCloud Services Contracts.Data ControlFollowing the expiration or termination of the OpenAir Service, data is deleted from all live and non-liveenvironments after six months of the account cancellation date.OpenAir provides customers with the option to allow authorized support employees to access a backupcopy of the customer account in a sandbox environment to investigate cases submitted by the customer.This is used for troubleshooting complex cases, and the related sandbox environment is deleted after 30days of inactivity, if not sooner.Privacy ConsiderationsPersonal data is protected under privacy and data protection laws, ordinances, and regulations inmany countries around the world. Customers are responsible for assessing the legal and operationalimplications of any applicable privacy and data protection laws on their business. In particular, Customersare responsible for: The identification and subsequent redaction, anonymization or pseudonymization of any personallyidentifiable information (PII) or other data pertinent to the privacy regulations in their productionaccount and in any sandboxes which they own. Considering any applicable cookies consent requirements when collecting and tracking personal datafrom end users.OpenAir makes the following provisions to enable you to meet your regulatory obligations: Data Minimization End-User Access Data Deletion Data Portability Tracking Technologies Notice and Consent Right to Erasure or Right to Be Forgotten Requesting Purge of ‘Deleted’ Records or Audit Trail DataData MinimizationOpenAir provides a Role Based Access Control (RBAC) model to set up authorization policies for users.These policies control the functionality available to users and can be set up by customers to enforceseparation of duties. Filter sets can be used to control what data the user can view or update. See TheSecurity Model and Roles Overview.Security Guide4

Standard FeaturesForm permissions can be used to control what information is captured on many OpenAir entity forms.This functionality can be applied to both built-in and custom fields. See Form Permissions Overview.User scripts can also be used to ensure the data collected is sufficient and limited to what is necessary.End-User AccessEnd-user data is accessible via the web application, APIs, Automatic Backup Services (ABS) and userscripts. Data access, correction, and deletion can be performed by the end-users themselves or byauthorized personnel with the correct permissions and restrictions. OpenAir end-users with access canalso use the SOAP API or XML API or user scripts to programmatically access, modify, or delete their data.Data DeletionUsers with appropriate role permissions can mark transactions or records for deletion using the OpenAirweb application or OpenAir APIs.Note: Only transactions or records which are not associated with another transaction or a childrecord can be marked for deletion, unless those associated transactions or records themselveshave been marked as deleted.Access to OpenAir APIs is a licensed add-on and must be purchased separately. To enable accessto OpenAir APIs for your account, contact your OpenAir Sales Representative or ProfessionalServices Consultant.Deleted records are not removed immediately from the OpenAir database but are flagged as deleted.Records marked as deleted which have not been updated for 6 months or more are removed (purged)from the database when a major OpenAir release occurs. It could take up to a year for a record to becompletely removed from the OpenAir database depending on the timing between the product releaseand when a record is marked for deletion.Administrators may request the expedited purge of specific records flagged as deleted for regulatorycompliance. See Requesting Purge of ‘Deleted’ Records or Audit Trail Data.Following the expiration or termination of the OpenAir Service, data is deleted from all live and non-liveenvironments after six months of the account cancellation date. See also Data Control.Data PortabilityUsers with appropriate permissions can export account, batch or list data.OpenAir Automatic Backup Service (ABS) lets you set up a regular delivery of your OpenAir data. SeeAutomatic Backup Service.Users with appropriate permissions can use OpenAir APIs to retrieve data.Note: OpenAir Automatic Backup Service (ABS) and APIs are licensed add-ons and must bepurchased separately. To enable access to OpenAir Automatic Backup Service (ABS) or OpenAirAPIs for your account, contact your OpenAir Sales Representative or Professional ServicesConsultant.Tracking TechnologiesThe OpenAir website collects certain information about the user's computer and internet connection,such as the IP address, the date and time of access, actions, the computer technology which is beingSecurity Guide5

Standard Featuresused, and movements and preferences on the website. The service only uses functional (not tracking)cookies for maintaining login sessions and personalization, and no third-party cookies. Session ID cookiesgenerated from regular OpenAir logins are set to expire depending on the session timeout time set bythe customer. For SAML logins, the Session ID cookies are set to expire after 300 seconds of inactivity. Forall other OpenAir cookies, they are removed once the browser is closed.Important: Customers are responsible for assessing the legal and operational implicationsof any regulation on their business, and for considering any applicable cookies consentrequirements when collecting and tracking personal information from end users.Notice and ConsentDashboard messages can be used to display notice information which can include your entire notice orprovide an external URL to your privacy notice.Custom fields can be used to create a mechanism for employees to give or withdraw consent.Administrators can set up an automated email notification feature using the query builder to inform usersand refresh consent if anything changes. For more information on dashboard messages and the querybuilder, seeOpenAir Admin Guide.Right to Erasure or Right to Be ForgottenOpenAir provides many options to delete personal data, either manually or automatically. These featuresare either available by default or require some configuration. See Data Deletion and Requesting Purge of‘Deleted’ Records or Audit Trail Data.Administrators and users with the appropriate role permissions can: Use the OpenAir web application or OpenAir APIs to permanently obfuscate personal information heldfor terminated or inactive employees. Delete expense report attachments using a wizard. Run maintenance tasks to delete script log entries.Requesting Purge of ‘Deleted’ Records or Audit Trail DataTo the extent that you have regulatory obligations requiring expedited deletion of specific records beingprocessed by OpenAir, account administrators may submit a support case to request the permanentdeletion of specific data from the database within 30 days. This applies to: Specific records flagged as deleted which need to be purged before it is due to be purged as part ofthe regular data maintenance cycle. Specific audit trail data or any other specific data which cannot be modified by account administrators.OpenAir Engineering will propagate those changes to all environments not owned by the customer (suchas support sandboxes) or otherwise assure their removal.To request the purge of specific audit trail data and/or specific records flagged asdeleted:1. Make sure any data or personally identifiable information has been removed from the affectedfields on the records.Security Guide6

Standard Features2. Go to SuiteAnswers and Create a Support Case.3. Provide the following information: Business justification for the request — The request must proceed from regulatory obligations. Name/dbid of any Sandbox accounts from which the data also needs to be deleted/purged. Required completion date — A minimum of twelve US business days is required. Clear and detailed identification of the data to be deleted/purged — Include: The internal IDs and table names of the records. The specific name of the fields needing data removed from the audit trail — Provide fieldnames as they appear in the database, not in the UI. If applicable, specify: The internal IDs in both your Production and any Sandbox accounts you may have, if theIDs are different. The custom field [number] in both your Production and any Sandbox accounts you mayhave , if these numbers are different.Important: Consider the following guidelines: Any request to purge or delete data must be made by an account administrator and proceedfrom regulatory requirements. OpenAir makes no assurances for timely removal of data by any required date fewer thantwelve business days notice. All data from the specified fields in the specified records will be removed or redacted byOpenAir engineering within twelve business days of receiving the request. There will be no record of what specific data was removed. Customers are entirely responsiblefor retaining any important information in another system/medium should they require it inthe future for any reason. There is no restoration/rollback capability for removal of data from an audit trail.General Security PrinciplesThe following principles are fundamental to using any application securely.Keep Software Up To DateOne of the principles of good security practice is to keep all software versions and patches up to date.This applies to add-on services and other integration applications connecting to OpenAir as well asoperating systems and browser technology.In the specific case of Web Browser support, the following four browsers are supported in accordancewith the vendor support policy: Google Chrome (most current major stable channel release), MozillaFirefox (most current major ESR version and above, in production only), Apple Safari (most current majorproduction release and one prior release), and Microsoft Edge (most current major production release onSecurity Guide7

General Security Principlesa supported operating system). Other versions may continue to work with OpenAir but are not officiallysupported. Microsoft Explorer 11 is no longer supported.ChromeFirefoxMicrosoft EdgeSafariMac OS portedSupportedNot SupportedSee also Oracle Software Web Browser Support Policy.Follow the Principle of Least PrivilegeThe principle of least privilege states that users should be given the least amount of privilege to performtheir jobs. Over ambitious granting of responsibilities, roles, grants, etc., especially early on in anorganization’s life cycle when people are few and work needs to be done quickly, often leaves a systemwide open for abuse. User privileges should be reviewed periodically to determine relevance to currentjob responsibilities.When an employee leaves, immediately remove their access to OpenAir.Separation of DutiesBeyond limiting user privilege level, you also limit user duties,

Different authentication methods, IP address restriction and session timeout features are available to protect your OpenAir environment from unauthorized access. See Configuring and Using Authentication under Security Features. The backbone of the OpenAir security model is built on a roles and permissions model, in which users