Trust and security

How OnlineOffice protects workspace data

A practical overview of security, operations, and legal controls that help companies decide before choosing a paid plan. This page is not an ISO certification claim.

Account and access security

  • Admin accounts can use multi-factor authentication and recovery codes.
  • Sensitive actions are recorded as security and audit events.
  • Workspace access is tied to user, company, role, and plan.
  • Protected API endpoints require authentication, authorization, and request-origin checks.

Data, files, and retention

  • Many public tools process work directly in the browser without saving it to the workspace.
  • Saved outputs use manifests, checksums, retention, and audit trail.
  • Users can download an account export as a ZIP with data and related files.
  • Accounting documents follow retention rules instead of ordinary temporary cleanup.

Operations and continuity

  • Production deployment uses readiness checks, smoke tests, and a health endpoint.
  • Backups are prepared locally and offsite, with restore-readiness checks.
  • Uploads are file-signature validated and should pass malware scanning in production.
  • Rate limiting and nginx hardening protect login, API, and uploads from abuse.

Compliance and e-invoicing

  • OnlineOffice prepares UBL/PEPPOL data, validations, and operational evidence for e-invoicing.
  • Direct PEPPOL operations stay gated: they require testbed, PKI, SMP/SML/AS4, incident drill, and external approval.
  • The Enterprise ISO/security page helps collect controls, risks, vendor review, and access-review evidence.
  • Legal documents, GDPR, cookies, and accessibility statements are public.

Common questions

Is OnlineOffice ISO certified?

No. This page does not claim completed ISO certification. The product has control, risk, and evidence foundations that support a future audit.

Where can I download my data?

Account settings include a data export and ZIP archive with related files, manifest, and checksums.

Is direct PEPPOL already enabled?

Not for direct production operation. PEPPOL is prepared as readiness and evidence; final enablement requires certification, PKI, and go-live gates.

Contact for trust, security, and purchasing

If you need security evidence, plan clarification, or onboarding help, contact us. Do not send security reports publicly and do not include real passwords.

Email supportBusiness contact