Least-privilege access
Administrative access is limited based on job function, approved business need, and environment-specific permission boundaries.
COI DASH, operated by OneSpring LLC, is intended for teams that handle vendor onboarding, insurance records, and operational risk. This page outlines the general controls and processes we use to protect platform data, support availability, and respond to security concerns. It is written as a public-facing overview rather than a formal security exhibit or contractual commitment, and our specific practices may evolve over time.
Administrative access is limited based on job function, approved business need, and environment-specific permission boundaries.
We use encryption, secure transport, logging, and operational controls designed to reduce unauthorized access to customer and vendor data.
We monitor production systems, review incidents, and maintain response processes intended to contain issues and restore service promptly.
COI DASH is operated by OneSpring LLC, a Georgia limited liability company (“OneSpring,” “we,” or “us”). We maintain a security program designed around confidentiality, integrity, and availability. Our internal practices are intended to cover secure configuration, employee awareness, vendor reviews, environment management, and change controls appropriate for a cloud-based B2B SaaS product handling operational compliance data.
We restrict access to systems and data based on role and operational need. Administrative actions are limited to authorized personnel, and access is reviewed periodically. We aim to use strong authentication practices, environment separation, and auditable workflows for changes that affect sensitive systems or production data.
COI DASH is built to protect data throughout its lifecycle. Common controls may include:
We monitor platform health, application behavior, and security-relevant events to identify potential issues and unusual activity. When a suspected security incident is identified, we investigate, contain, remediate, and document the event. Where required by law or contract, affected customers are notified through the appropriate communication channels.
We rely on trusted third-party infrastructure and service providers to host, operate, and support parts of the COI DASH service. We seek to evaluate these providers for security fit, and we use contractual or operational safeguards intended to support appropriate handling of customer information. The COI DASH service is hosted in the United States.
We design the platform to support continuity through redundancy, backup practices, monitoring, and operational runbooks. While no system can guarantee uninterrupted availability, we aim to reduce downtime risk, detect failures quickly, and recover from service disruptions in a controlled manner.
This page describes our general security practices and is provided for informational purposes only. It is not a warranty, guarantee, or contractual commitment, and it does not create security or service-level obligations beyond those set out in a signed agreement between you and OneSpring. If a signed agreement or data processing addendum addresses security, that agreement controls.
No system, and no method of transmission or storage, is completely secure. We cannot guarantee that the service will be free from unauthorized access, vulnerabilities, or data loss, and the practices described here may change as the product and the threat landscape evolve.
If you believe you have found a security issue, vulnerability, or suspected misuse involving COI DASH, contact security@coidash.com. Please include relevant details, affected URLs or workflows, timestamps, and any supporting evidence so the issue can be reviewed efficiently.
We appreciate good-faith security research. If you report an issue responsibly, give us reasonable time to investigate and remediate before disclosing it publicly, and avoid accessing or altering data that is not yours, we will not pursue legal action against you for that research. Please do not perform testing that degrades, disrupts, or harms the service or other users.