OneSignal is committed to the security and privacy of data stored on our platform. We’ve implemented a number of security controls and features to ensure our organization and service is safe. In this page we illustrate the most common security related requests of our customers.

PII Masking

Hide emails & phone numbers in the dashboard and any exports for all users. See Handling Personal Data for more details.

SOC 2 Type II & ISO 27001/27701

OneSignal is SOC 2 and ISO certified.

HIPAA

We comply with HIPAA regulations.

GDPR

OneSignal complies with GDPR and helps its Customers maintain their GDPR responsibilities. Our data centers are located in the EU.

Data Privacy Framework

We are certified under the Data Privacy Framework for data transfers between the EU and the US.

Third Party Security Assessment and Vulnerability Scans

We perform an annual security assessment with an independent third party. In addition, we perform quarterly vulnerability and penetration scans. All critical and high findings are remediated.

Workstation Security

All of our workstations are enabled with firewall, endpoint protection, and encryption at rest in place.

Incident Response

We have a robust incident response program in place.

Dedicated Security Organization

We have a dedicated security team that monitors and triages security issues.

Industry Standard Encryption

Customer data is secured using industry standard encryption algorithms, both at rest and during transmission.

Single Sign On (SSO)

Through WorkOS, OneSignal supports SSO with popular identity providers for login.

2FA Enforcement

Administrators can enforce 2FA across an organization.

Personnel Security

We perform security awareness training regularly. Background checks are per formed on all new employees.

Data Governance and Retention

Customers remain as the data controller and OneSignal acts as the data processor. Messages sent via our API & Journeys are stored for 30 days before deletion. Messages sent through our dashboard Messages form are stored until you choose to delete it. User data is retained for all paid plans until you choose to delete it. On free plans, we retain your user data that have been active in the past 18 months.

Data Export

Our platform provides easy-to-use tools for exporting data. -Exporting data

FAQs

Does OneSignal use cookies?

OneSignal’s Web SDK does not use cookies. We do use Local storage and IndexDB. You may see the cookie __cf_bm in your browser attributed to OneSignal. This cookie is set by Cloudflare and is used to fight bots. The EU cookie law explicitly allows cookies that implement system features without user consent. Cloudflare explicitly mentions these cookies in their own policy under Strictly Necessary; including that they cannot be opted out of. For more details, see this GDPR explainer on not needing explicit user consent for Strictly Necessary cookies.

What data is collected by the OneSignal SDK?

See Data Collected by the OneSignal SDK.

How do you recommend handling user data in OneSignal?

See Handling Personal Data.

Is OneSignal COPPA compliant?

OneSignal is certified with the Families Ads Program as of January 10th 2022. COPPA is the responsibility of the publisher to maintain. However, OneSignal provides an easy solution for gathering User Consent before collecting data and prompting for push. More details on how to properly handle this interaction can be found in this article: How to Implement COPPA Compliant Push Notifications in Kid Directed Apps.

How can I or my users opt-out (unsubscribe) from web push notifications?

See Unsubscribe from Notifications.

How to lock down or secure my OneSignal account?

It is recommended that all OneSignal accounts setup 2-Step Authentication and/or Single Sign-On. Remove Team Members that do not need access to your account. Multiple people should also not share a single account. You should have 1 email associated for each person. Disable, delete and/or rotate your API keys. See Keys & IDs for details. Do not publish your API Keys. These keys should not be placed anywhere publicly accessible like Github or within your app/site. Reset your password. See Account Management for details.

What happens if a “bad actor” gains access to my OneSignal REST API Key?

If you believe that your REST API key has been compromised, you can delete and/or rotate it. See Keys & IDs for details.

What happens if a “bad actor” gains access to my OneSignal App ID?

Your OneSignal App ID is public. The only thing someone could potentially do with this information is create new Users. However, that record cannot receive messages if the device wasn’t subscribed through valid means. You can prevent users from impersonating one another with Identity Verification.

What happens if a “bad actor” gains access to a OneSignal subscription?

A user’s own subscription_id is public to that user, and discovering it is generally harmless. It can be used to view and update tags and other data about the user’s subscription. For this reason, tags should not be used for either authentication or the storage of sensitive data and personally-identifiable information. Users of your application or service should not be given access to the subscription_ids of other users. This is because a subscription_id on its own is sufficient to send a notification to that user’s device. So the subscription_ids belonging to other people should be kept secret. You can prevent users from impersonating one another with Identity Verification.