Defense in depth. Audited by design.
OAN security spans three pillars: the product we build (data at rest, data in motion), the partners we extend through (LSEG, SOVOS, DocuSign, Adobe Sign), and the way we operate as a company (SOC 2 Type 2 and SOC 1 Type 2 audited). Every layer is designed to reduce your vendor risk review, not add to it.
Security promises, in writing.
CIOs and IT heads do not buy on security adjectives. They buy on commitments that show up in the SLA, the SOC report, and the patch timeline. Four things OAN commits to before you sign.
Critical CVEs patched in hours, not quarters
When a critical vulnerability is disclosed in Oracle, OCI, or any OAN dependency, we patch on a contracted SLA. Criticals typically get same-day or next-business-day turnaround, and your security team is notified through documented channels the moment the work starts.
Security SLAs in writing, not in marketing
Patching timelines, incident notification windows, uptime commitments, and vulnerability remediation targets all live in your contract as SLAs. Your procurement and security teams review them before you sign, not hope for them afterward.
Proof your security team can read
SOC 1 Type 2 and SOC 2 Type 2 reports, architecture diagrams, penetration test summaries, and incident response runbooks are all available under NDA during procurement. Your reviewers see the actual evidence, not a brochure.
Security inherited from the Oracle stack
OAN runs on Oracle Database, Oracle APEX, and Oracle Cloud Infrastructure. You inherit Oracle's patching cadence, network controls, and enterprise support posture. The foundation beneath OAN is the same foundation beneath your ERP.
Process. Product. Partnership.
Every security and compliance topic on this page maps to one of three pillars. Together they form OAN's defense in depth.
Process
OAN has completed SOC 2 Type 2 and SOC 1 Type 2 audits. Internal controls, segregation of duties, change management, and access reviews are independently verified every year over a 12-month audit period, not asserted.
Product
Every layer of the OAN platform is secured by design. Data at rest is encrypted with Oracle TDE and OCI Vault keys. Data in motion runs through OCI WAF, Load Balancer, Bastion, and TLS 1.3 end to end.
Partnership
Where a specialist does it better, OAN integrates with them natively. LSEG for risk and sanctions screening, SOVOS for tax compliance, DocuSign and Adobe Sign for document signing. Best in class, wired in.
Security extended through specialists who do this best.
Some security problems are better solved by the companies who have been solving them for decades. OAN integrates natively with the ones that matter most to finance operations, and extends cleanly to more when you need them.
Sanctions, risk, and tax compliance wired into the workflow
LSEG Risk Intelligence
Screening against sanctions lists, politically exposed persons, adverse media, and identity verification. Powers the OAN Global Risk Agent across vendor onboarding, payment screening, and customer verification.
SOVOS
Sales tax, VAT, and indirect tax compliance across jurisdictions. Real-time tax determination, validation, and reporting wired into AP invoice and PO workflows.
Legally binding signatures and document integrity
DocuSign
Industry-leading electronic signature platform for legally binding document execution. Integrated into OAN contract, invoice, and onboarding workflows.
Adobe Acrobat Sign
Adobe Acrobat Sign for enterprises standardized on Adobe Document Cloud. Same OAN workflows, Adobe-native signing experience.
Need another partner? Custom integrations with other risk, tax, and signature providers are built on the same framework as the shipped ones.
Security engineered into the product itself.
Every data point in OAN is protected by Oracle and OCI security primitives. Data at rest is encrypted at the database and storage layer. Data in motion runs through OCI WAF, Load Balancer, and Bastion.
Data at Rest
Transparent Data Encryption with AES-256 at the tablespace level. Every OAN record, every backup, every export encrypted without application code changes.
Server-side encryption for all objects. Documents, attachments, and binary content protected at the storage layer across every OAN product.
Customer-managed encryption keys (CMEK) with OCI Vault. Bring your own key (BYOK) supported for customers with strict compliance requirements.
Cross-region replication, point-in-time recovery, and automated encrypted backups. RPO and RTO negotiated per customer based on criticality.
Data in Motion
All external and internal traffic protected by TLS 1.3. No plain HTTP anywhere in the OAN platform, no exceptions.
Blocks OWASP Top 10 attacks, SQL injection, XSS, and known threat patterns before requests ever reach OAN application tiers.
SSL termination, DDoS mitigation, and high-availability traffic distribution. Certificates rotated automatically on your cadence.
Time-limited, fully audited administrative access. No public SSH, no standing access, every session captured in the audit log.
Every technical control on this page is built on Oracle Database, Oracle APEX, and Oracle Cloud Infrastructure. You are not inheriting a bespoke security stack. You are inheriting Oracle's.
Independently audited. Annually re-audited.
OAN has successfully completed SOC 2 Type 2 and SOC 1 Type 2 audits by an AICPA-licensed firm. OAN has always voluntarily pursued the more demanding Type 2 report. Reports are available to your security and compliance team under NDA during procurement.
SOC 2 Type 2
SOC 2 examines and evaluates the operational controls of a business across the AICPA Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type 2 report tests those controls over an extended period (OAN's usual audit period covers 12 months), proving that controls are sustained over time, not just in place on a single day.
SOC 1 Type 2
SOC 1 audits focus on internal controls over financial reporting, covering both the OAN platform and OAN Pay (our payments system). A Type 2 report tests operating effectiveness over a 12-month audit period, demonstrating that the controls your financial statements depend on have been working consistently throughout the year.
Process is not a one-time audit. It is a continuous posture.
Beyond the annual SOC report, OAN runs continuous internal control reviews, change management gates, access reviews, and independent penetration testing. HIPAA technical safeguards, GDPR data subject rights, and SOX-friendly audit trails are all built into the platform, not bolted on per customer. When your compliance team asks for evidence, it is already there.
Frequently Asked Questions
The questions we hear most often from security, compliance, and vendor risk teams during procurement.
SOC stands for System and Organization Controls, a suite of services provided as part of the reporting platform of the American Institute of CPAs (AICPA). A SOC 2 audit examines and evaluates the operational controls of a business. The audit requires a company to document and follow comprehensive information security policies and procedures. The resulting report gives interested parties (prospects, customers, auditors) additional information and insight to make a decision about working with that business.
SOC 1 audits focus on internal controls over financial reporting, testing the design and operating effectiveness of controls that are relevant to user entities' financial statements. OAN views SOC 1 audits and other periodic third-party reviews as a valuable resource to enhance both the OAN platform and OAN Pay, our payments system.
A Type 1 report tests controls at a single point in time, essentially answering the question "were the controls in place on this date?" A Type 2 report tests controls over an extended period, typically 6 to 12 months, answering the harder question "were the controls working consistently throughout this period?" Type 2 is the more demanding and comprehensive standard. OAN has always voluntarily pursued Type 2 for both SOC 1 and SOC 2, with a 12-month audit period, because it gives customers the strongest possible assurance.
OAN has successfully completed SOC 2 Type 2 and SOC 1 Type 2 audits. Our auditors determined that our controls were effectively designed and followed throughout the 12-month audit period. Relevant portions of both reports are available upon request under NDA during procurement. Your security, compliance, and vendor risk teams can review the full audit report, controls testing, and auditor opinion before signing anything.
Data at rest is encrypted with Oracle Transparent Data Encryption (TDE) at AES-256. Keys are managed by OCI Vault with customer-managed keys (CMEK) by default, and bring your own key (BYOK) supported for customers who require it. Data in motion is protected by TLS 1.3 end to end, with certificates rotated automatically. Nothing about OAN requires you to hand over your keys.
Critical CVEs in Oracle, OCI, or any OAN dependency are patched on a contracted SLA. Criticals typically get same-day or next-business-day turnaround; highs and mediums are scheduled per the SLA in your contract. Your security team is notified through documented channels the moment remediation begins, and the audit log captures every step of the patch cycle.
OAN runs 24x7 security monitoring with documented incident response playbooks. If an incident occurs, your security team is notified per the SLA in your contract with full forensic detail from the unified audit log. Post-incident reports are delivered on your timeline, and runbooks are available for your review during procurement. Every agent action, every human action, and every platform event lands in the same audit log.
LSEG Risk Intelligence powers sanctions, PEP, adverse media, and identity screening inside the Global Risk Agent product. SOVOS handles sales tax, VAT, and indirect tax compliance inside AP and PO workflows. DocuSign and Adobe Acrobat Sign are the digital signature options for contract execution and invoice sign-off. New partners are added as customers need them, without changing the underlying platform.
HIPAA: technical safeguards, access controls, audit trails, and BAA available for healthcare customers. GDPR: data subject rights, right to erasure, data residency controls, and processing records. SOX: segregation of duties, change management, and immutable audit trails that support your control narrative. None of these are separate products. They come with the platform.
SOC 2 Type 2 and SOC 1 Type 2 reports are issued annually with a 12-month audit period. Internal controls, access reviews, and change management are continuously monitored and sampled throughout the year. Penetration testing is performed annually by an independent firm, and remediation is tracked and verified. Using an independent third party to audit these controls is an investment we are proud to undertake because it gives customers the strongest possible assurance about our operational, data security, and privacy practices.
Bring us through your security and compliance review.
A 60-minute working session with your security, compliance, and architecture leads. We come with the SOC reports, the encryption and network diagrams, and the partnership story. You leave with what you need to open procurement.
Under NDA on request. SOC reports available during procurement.