Enterprise-grade security and data privacy, built for life sciences.
Onomi is the live engagement intelligence layer for pharma — and we operate to the security and compliance standards your CRM does.
GDPR, HIPAA, SOC 2 Type 2, ISO 27001, with data residency in the EU, US, Singapore, or Australia.
Why pharma IT teams trust Onomi
Built for the regulated edge of pharma.
Advisory boards, congress booth conversations, scientific exchange — the touchpoints with the highest privacy sensitivity. Designed to operate inside enterprise security envelopes from day one.
Native to your CRM, not a shadow stack.
Certified Veeva and Salesforce partner. Identity-resolved interactions flow into the systems of record you already secure — no parallel data silo to govern.
Data residency you control.
Pick where each event's data lives — Germany, USA, Singapore, or Australia — at the event level, not the contract level.
Eight domains, audited by independents.
How we operate the platform — every control with evidence behind it.
Network, Infrastructure & Operations Security
Multi-tenant high-availability with end-to-end encryption.
- ▸ TLS 1.2 / 1.3 in transit, AES-256 at rest
- ▸ Controlled key management
- ▸ Mobile app hardening via Promon
- ▸ Multi-tenant high-availability architecture
Authentication & Access
SSO and mandatory MFA across the platform.
- ▸ SSO with mandatory MFA for admin users
- ▸ SSO-authenticated mobile app
- ▸ Biometric / PIN unlock
- ▸ Registration-based SSO for end users (HCPs)
Data Residency & Management
Event-level region choice, certified deletion.
- ▸ EMEA (Germany), USA, Singapore, or Australia
- ▸ Region chosen per event, not per contract
- ▸ Customer data ownership with key controls
- ▸ Ad-hoc deletion certified per NIST 800-88
Privacy Controls & Workflows
GDPR + CCPA compliance with self-service controls.
- ▸ GDPR and CCPA compliant
- ▸ Self-service end-user privacy controls
- ▸ Pre-signed DPA available
- ▸ Personal data anonymization on request
Secure Development & Change Management
Formal SDLC with automated and human code review.
- ▸ Formal SDLC, separated dev / test / prod
- ▸ Automated static analysis (Sonar)
- ▸ Black Duck FOSS scanning
- ▸ Advanced code reviews for every change
Threat & Intelligence
Continuous vulnerability assessment and external testing.
- ▸ Weekly vulnerability assessments
- ▸ Bi-annual external penetration tests
- ▸ Quarterly social-engineering tests
- ▸ Internal and external monitoring
Incident Management & Business Continuity
Daily backups, monthly recovery tests, automated alerting.
- ▸ Daily encrypted backups
- ▸ Business Continuity & DR plan
- ▸ Monthly recovery tests
- ▸ Automated alerting on incident triggers
Human Resources
In-house security and privacy leadership, audited training.
- ▸ In-house CISO and DPO
- ▸ Background checks for all staff
- ▸ Mandatory annual security and privacy training
- ▸ Training completion audited
01 Network, Infrastructure & Operations Security
Multi-tenant high-availability with end-to-end encryption.
- ▸ TLS 1.2 / 1.3 in transit, AES-256 at rest
- ▸ Controlled key management
- ▸ Mobile app hardening via Promon
- ▸ Multi-tenant high-availability architecture
02 Authentication & Access
SSO and mandatory MFA across the platform.
- ▸ SSO with mandatory MFA for admin users
- ▸ SSO-authenticated mobile app
- ▸ Biometric / PIN unlock
- ▸ Registration-based SSO for end users (HCPs)
03 Data Residency & Management
Event-level region choice, certified deletion.
- ▸ EMEA (Germany), USA, Singapore, or Australia
- ▸ Region chosen per event, not per contract
- ▸ Customer data ownership with key controls
- ▸ Ad-hoc deletion certified per NIST 800-88
04 Privacy Controls & Workflows
GDPR + CCPA compliance with self-service controls.
- ▸ GDPR and CCPA compliant
- ▸ Self-service end-user privacy controls
- ▸ Pre-signed DPA available
- ▸ Personal data anonymization on request
05 Secure Development & Change Management
Formal SDLC with automated and human code review.
- ▸ Formal SDLC, separated dev / test / prod
- ▸ Automated static analysis (Sonar)
- ▸ Black Duck FOSS scanning
- ▸ Advanced code reviews for every change
06 Threat & Intelligence
Continuous vulnerability assessment and external testing.
- ▸ Weekly vulnerability assessments
- ▸ Bi-annual external penetration tests
- ▸ Quarterly social-engineering tests
- ▸ Internal and external monitoring
07 Incident Management & Business Continuity
Daily backups, monthly recovery tests, automated alerting.
- ▸ Daily encrypted backups
- ▸ Business Continuity & DR plan
- ▸ Monthly recovery tests
- ▸ Automated alerting on incident triggers
08 Human Resources
In-house security and privacy leadership, audited training.
- ▸ In-house CISO and DPO
- ▸ Background checks for all staff
- ▸ Mandatory annual security and privacy training
- ▸ Training completion audited
Configured for 21+ privacy regimes across every region we operate in.
Pharma engagement operates under more privacy law than almost any other category. Onomi is configured to support the frameworks your legal team will ask about — and we publish the matrix so you don't have to ask twice.
- GDPR European Union
- ePrivacy Directive European Union
- UK GDPR · DPA 2018 United Kingdom
- Swiss FADP Switzerland
- EU AI Act European Union
- NIS2 Directive European Union
- HIPAA United States
- CCPA · CPRA California
- VCDPA · CPA · CTDPA · UCPA US state privacy laws
- Sunshine Act United States
- PIPEDA Canada
- Quebec Law 25 Quebec, Canada
- LGPD Brazil
- PDPA Singapore
- Privacy Act 1988 Australia
- APPI Japan
- PIPL China
- PIPA South Korea
- PDPA Thailand
- PDPL Saudi Arabia
- POPIA South Africa
The full compliance matrix
One XLSX. Every framework above with the specific controls Onomi maintains, our legal basis, sub-processor disclosure, and the contract artifacts you need to satisfy each requirement.
One form. The full security packet.
Request the package and our security team delivers a secure link with every document below — under a lightweight NDA.
SOC 2 Type 2 Report
Latest annual audit, executed by an independent CPA firm.
Latest Penetration Test Report
Most recent bi-annual external assessment with remediation status.
ISO 27001 Certificate
Active certification covering the platform and operations.
Architecture Whitepaper
How the platform is architected for security, isolation, and residency.
FOSS Notices Report / SBOM
Open-source software bill of materials with license audit.
External Vulnerability Scan Report
Most recent automated external scan with findings and disposition.
Pre-signed DPA
GDPR-aligned Data Processing Addendum ready for counter-signature.
Request the full package
One form, one NDA acceptance, secure delivery of all six gated documents within one business day.
The questions your security team will ask.
Where is event data hosted?
Is Onomi SOC 2 Type 2 certified?
Is Onomi HIPAA compliant?
How does Onomi handle GDPR and CCPA?
Does Onomi integrate natively with Veeva CRM?
How does Onomi authenticate end users (HCPs)?
What is Onomi's penetration test cadence?
Can we get a pre-signed DPA?
How long is data retained, and how is deletion certified?
Who is Onomi's CISO and DPO?
Ready for your security review?
Get the full documentation package, or put 30 minutes on our CISO's calendar.