Frequently Asked Questions

Osano stores de-identified data in our Dublin, Ireland data center and does not store identifiable information about your visitors, nor do we transfer personal data outside of the European Economic Area. For users (administrators) of Osano, we store personal data that is necessary for account management and security audits in our Virginia, USA data center.

Osano maintains an always current SOC2 report which is available upon request to customers on any paid plan. Osano infrastructure and systems are tested for vulnerabilities nightly, are routinely penetration tested, and all data is transferred (in transit) and stored (at rest) using modern encryption protocols such as TLS1.3 and AES 256 respectively. Additional information is available from your account executive.

If you are a current or prospective Enterprise customer, Osano can provide a full suite of third-party audits, policies, documentation, code security reports, code coverage reports, and architectural walkthroughs for your security team assessments.

Nations, states, major airlines, the world's largest financial institutions, energy conglomerates, defense contractors, CPG brands, and biotech multinationals have thoroughly vetted Osano security.

We are confident that Osano will exceed your security requirements.

Osano is built entirely on top of Amazon Web Services. The majority of the Osano application runs inside of AWS CloudFront instances in the region closest to you and your visitors. In addition to leveraging CloudFront for speed of delivery, Osano is fully fault tolerant. If a required AWS service at the data center in Berlin goes down, you and your customers will never know,  because Osano's proprietary failover technology will immediately route requests to Frankfurt.

The result is extreme scalability and high performance. During peak hours, Osano processes upwards of 3.5 Million consents per hour and 10 Million cookie reports per hour. Osano is the most used, highest volume, fastest, and most reliable data privacy platform in the world.

You are always able to invite Osano support to your account to assist with troubleshooting or configuration, but unless you invite us, no Osano employee has the ability to access your account.

Personal data is encrypted using an encryption key which is unique to each customer. Most data is stored using a per customer salt and SHA-512 hashing.

Osano stores the minimum necessary data to provide you with service, and nothing more.

No, when you first deploy Osano, it is set automatically to a non-breaking, listener only mode. During that time, it only collects data about the scripts and cookies that load on your website.

Read documentation about Consent Management configuration.

Osano does not collect data about your users other than IP addresses, which are stored for 30 days for fraud and abuse detection and then permanently deleted from our log files. In some jurisdictions, IP addresses are considered PII, so we do recommend adding Osano to your GDPR statement as a sub-processor.

Developers can easily add additional capabilities to a website by listening for Osano events. Read the developer documentation for more information.

Arabic, Bulgarian, Catalan, Chinese, Czech, Danish, Dutch, English, Farsi/Persian, Finnish, French, German, Greek, Hebrew, Hindi, Hungarian, Indonesian, Italian, Japanese, Korean, Malay, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Spanish, Swedish, Thai, Turkish, Ukrainian, and Vietnamese

To avoid repeatedly requesting consent from a visitor, Osano sets two cookies identifying the categories of consent and their expiration as provided by the end-user. These cookies qualify as "Strictly Necessary" and do not require consent.

When you use the Osano GDPR representative service, if you receive any data subject requests or correspondence from an EU supervisory authority, you will receive an email and upon logging in to Osano, you'll have access to your inbox.

At that point, you can work with our local EU counsel or your own counsel to decide how you would like to respond.

A key component of responding to data subject requests is that they have to be timely, "without delay and within one month” -- the efficiency of Osano helps reduce the time crunch for requests.

No. Osano acts as a representative to receive notices from data subjects and government bodies on your behalf.

It entirely depends on the request. Generally, you will want to verify the identity of the individual to ensure they are authorized to make the request.

In all cases, you will need to quickly find every single record containing any PII that is associated with that individual. This includes data shared with vendors and data stored in your own databases or files.

If it is a deletion request you need to respond to the subject confirming the deletion. If it is a simple inquiry you will need to provide the list of fields that you have stored about that individual.

Each vendor is measured on a 163 item ontology. Osano attorneys review the published policies for a vendor and map those practices to the ontology.

In the application, you can see the summary score, but also the breakdown of how that score was calculated.

Yes, when you navigate to a vendor's detail page, you can explore all of the subprocessors for each of those vendors. If you believe a subprocessor may be an important 4th party for your own data, follow that subprocessor as an "indirect" vendor to be alerted about score changes, lawsuits, and policy changes.

If you are a vendor in our system and you are concerned about your score, we recommend that you schedule a time with the Experts. The Experts can help you understand where your practices may be substandard.

The Experts will not share the ontology with you or provide specifics about your individual score.

Osano crawls every document once per 24 hours. This means you will always find out about changes quickly after they are made.

No, change alerts are only based on the content of the policy itself. Osano converts each policy into a rich text format for comparison with future versions.

In the application in the "Policy Changes" section, you will find an ordered list of the changes for each of your vendors. Viewing the policy allows you to compare versions visually.

Osano automatically monitors the policies for every company you tell us is a vendor of yours. The number of vendors you can follow is determined by the Osano plan your company purchased.

The Osano alerts generally include a summary of who the law applies to, the status of the law (enacted or in consideration), and an explanation of what most Osano customers will want to do in response to the law.

We encourage you to check with your attorney prior to making any decisions.

In the Osano application, you will be provided with an option to subscribe to regions that you do business in. Those regions can be states, countries, or broad regions such as the EU.  Once Osano knows your preferred regions you will begin receiving updates.

Osano monitors all U.S. federal courts and many state courts.

Osano does not monitor any international courts.

In order to subscribe to a vendor's lawsuit notifications, you must have added that company as a direct or indirect vendor of yours. The number of vendors you can follow and receive alerts for is based on your tier of service.

In the application, you can access a case summary. Additional documents related to the case are available. Depending on the case and the court in which it was filed, some documents will be free to access while others require a one time purchase to access the documents.

Many of our experts (but not all) are attorneys. All experts are either attorneys OR Certified Information Privacy Professionals (CIPP). Our experts are not acting as attorneys or providing legal advice when answering questions.

The experts can provide you with general guidance on practices that may help improve your score, but the experts can not influence the scores, nor do the experts know how the Osano algorithm weighs the items in the ontology.

No. Osano does not practice law, does not provide legal advice, and does not provide regulatory guidance. Osano provides information about best practices for privacy programs and implementation. All information provided by Osano is the opinion of the company. You should always consult your own legal counsel for final verification of any decisions.

Open a ticket with support to enable API access if you are on a tier that includes API access.

Once API access is enabled for your account you will have access to a screen to generate tokens to submit data.

Osano stores in plain text, the fields that you tell us you store about each individual and a one-way encrypted representation of that information. This makes the information searchable but not reversible. What that means is that you can confirm whether you are storing a person's information based on PII (e.g. email, phone, IP address), but you can not reverse engineer the identity of the person from Osano data nor can any individual piece of information be viewed.

Yes, you can search the records of consents and PII storage via API. What you receive back is a yes/no flag on whether that information exists in our ledger for your customer account. You also receive which fields were stored about that individual and which vendors the data has been shared with along with timestamps. You can not retrieve PII in Osano because we do not store the PII, only a hash of the PII.

Open a ticket with support to enable API access if you are on a tier that includes API access.

Once API access is enabled for your account you will have access to a screen to generate tokens to submit data.

Osano stores in plain text, the fields that you tell us you store about each individual and a one-way encrypted representation of that information. This makes the information searchable but not reversible. What that means is that you can confirm whether you are storing a person's information based on PII (e.g. email, phone, IP address), but you can not reverse engineer the identity of the person from Osano data nor can any individual piece of information be viewed.

Yes, you can search the records of consents and PII storage via API. What you receive back is a yes/no flag on whether that information exists in our ledger for your customer account. You also receive which fields were stored about that individual and which vendors the data has been shared with along with timestamps. You can not retrieve PII in Osano because we do not store the PII, only a hash of the PII.