Get free mobile app

ONLYOFFICE DOCS 8.2 release on October 17th: Join our free webinar and win cool prizes

Total control over data security

We provide a comprehensive range of security tools and services, keeping your data safe on all fronts. Host solutions on-premises, encrypt documents and data, customize access settings, and connect authentication services and manage access rights to protect yourself from unauthorized access, data leaks, and insider actions.

Want to examine the innermost composition of our solutions?

Compliance with data protection regulations

GDPR compliance

General Data Protection Regulation (GDPR) was adopted in order to protect end-users of software, regulating the way companies handle their information when working with EU residents. We respect our users’ right to own and control their personal data, and we created products which are fully compliant with European laws.

Therefore, ONLYOFFICE sticks to data minimalism and we let users know how data is collected, stored, and processed. ONLYOFFICE gives freedom to access, copy, delete, restrict, or move any personal data. If your organization acts as a data controller and provides ONLYOFFICE to end-customers, you get complete access to the procedures through which they can execute their legal rights related to their personal data.

Read more about ONLYOFFICE GDPR compliance
HIPAA compliance

Health Insurance Portability and Accountability Act (HIPAA) requires any organization providing treatment, payment, and operations in healthcare, as well as their business associates and subcontractors who have access to any of their data assets, to protect sensitive patient data according to a set of recognized standards. ONLYOFFICE protects structured and unstructured data both at rest and in transfer, data audits, provides data integrity controls, etc., to provide the mandatory attributes defined by HIPAA and ensure that the customer organization stays fully compliant with the Act.

Read more about HIPAA compliance in ONLYOFFICE

Self-hosting

ONLYOFFICE was designed for businesses carrying out sensitive communication and records that, if compromised, may to various extent endanger customers and internal operations. Our range of solutions keeps your services and all assigned data completely within your physical perimeter. We put hardware protection in your hands, allowing you to manually maintain stability and connectivity as your business standards demand.

We provide complete technical support for on-premise deployment and release regular software updates.

Data encryption

Encryption at rest

Breach of data at rest is one of the top digital security risks for organizations working with sensitive data within their infrastructures. To protect the data of your company and your users, you can perform Encrypt-then-MAC type of encryption (AES-256-CBC + HMAC-SHA256) of the entire body of data within the ONLYOFFICE instance. AES-256 encryption type with CipherMode.CBC symmetric algorithm is used for enciphering data on the portal, while SHA256 hashing function paired with HMAC message authentication code screening verify the integrity and authenticity of the encrypted data.

End-to-end encryption

ONLYOFFICE offers additional protection of confidential files with Private Rooms. It is a space where you can store, edit, and share documents in always-encrypted form. Each document is automatically encrypted with randomly generated AES-256 keys that are shared with authorized users by means of asymmetric encryption. Files that are created, stored and shared within a Private Room never leave the directory and cannot be copied, re-distributed, or decrypted. Document encryption and decryption is performed strictly on the user’s machine end-to-end.

Document password protection

You can protect documents with passwords manually to make sure no-one can access your files without receiving a password from you. The documents are protected with AES-256 encryption algorithm, and can be opened in any editor that supports password protection.

Data protection

JWT

JSON Web Token (or JWT) protects documents from unauthorized access. This technology secures portal traffic and ensures that users cannot access more data than permitted to them, which is critical in case of external user invitation.

ONLYOFFICE editors request an encrypted signature that is contained in the token. The token is added in the configuration when Document Editor is initialized and during the exchange of commands between inner services (storage service, editing service, command service, and conversion service), therefore validating the right to perform a certain operation with the data.

Document permission management

ONLYOFFICE editors work on the client, moving most of the data load to the individual user’s browser. This approach allows you to create a flexible range of document permission types that include both full access and view-only permissions, and also permissions for exclusively commenting, reviewing or filling forms. Additionally, it is possible to restrict downloading, printing, and copying of documents to block further distribution of content. You can also restrict other users from changing the sharing settings. Besides, you are able to set time limits and passwords for externally shared documents and folders.

Spreadsheet protection

Protect access to data in your spreadsheets and selectively restrict editing of spreadsheet elements:

Encrypt spreadsheets to protect all data and safely share them with trusted users.
Protect workbook or separate sheet from selected actions to keep the contents and structure safe.
Allow editing for specific ranges in a protected workbook or worksheet.
Hide formulas from other users.
Lock spreadsheet elements: cells, texts, and shapes.
Watermarks

You can apply watermarks containing information about the document and the author to protect content rights when the documents are distributed.

HTTPS

ONLYOFFICE allows you to encrypt your traffic using HTTPS protocol, whether you already possess an SSL certificate or not. Upload the existing public keys generated on your server or on its base, or issue the new CA-signed certificate on letsencrypt.org.

Read more about using HTTPS in ONLYOFFICE

Digital signatures

Applying digital signatures to documents helps confirm their integrity and authenticity. In ONLYOFFICE, you can use any certificates to add signatures to documents, request signatures from one or multiple parties, customize signature layout and appearance.

Authentication and portal access control

Two-factor authentication

In the age of electronic fraud and social engineering, we are all vulnerable. Protect the log-in procedure on your portal with dynamic passcodes sent via mobile text messages. The classified data stored in your cloud or server facilities can be easily accessed if your users mishandle their personal passwords. Do not risk it.

We integrated Clickatell, SMSC, and Twilio services to allow the selection of an appropriate SMS package for any team and budget.

Additionally, it is possible to enable two-factor authentication via code generation app (Google Authenticator, Authy, etc.).

Read more about how to use two-factor authentication in ONLYOFFICE
Single Sign-On (SSO)

By choosing Single Sign-On over the classic authentication, you do not let us store any of your log-in data, ensuring it, instead, to one of the trusted global authentication services. ONLYOFFICE is the service provider (SP), while the third-party application acts as the Identity Provider (IdP). Providers verify user's authentication and discreetly keep credentials on their side minimizing the risk of unauthorized acquisition of this data.

Currently, we have three IdPs integrated with ONLYOFFICE to perform Single Sign-On feature: Shibboleth, OneLogin, and AD FS.

Read more about how Single Sign-On works in ONLYOFFICE
Access rights management

The threat of malicious internal action scales with business size and data classification variety, thus necessitating the differentiation of rights.

Users of your private portal can be easily grouped and hierarchized. Set access rights to portal modules and data for each user or group to protect specific data from unwanted attention and insider actions.

Read more about the access rights management
Authentication filtering and monitoring

A customized set-up for log-in criteria allows you to manage specific frameworks for authentication based on your knowledge and concerns. Moreover, all activities can be manually monitored and reported to reveal the potentially fraudulent or harmful behavior.

Trusted mail domains. This option allows you to manually select the mail servers that sign-up emails should belong to. Customized mail domains are also supported.

Password creation criteria. Here you can set the minimum and maximum password length and determine whether it must contain certain types of characters - capital characters, digits, or special symbols.

Cookie lifetime. An automatic log-out will be performed after a chosen period of time if this option is enabled.

IP restriction. This setting permits portal access for users and admins only to chosen IPs.

Login settings. Set up a limit of unsuccessful login attempts to protect your portal from brute-force attacks.

Login History. With Login History you can view the whole history of successful and failed login attempts and log-offs.

Audit Trail reports track which actions were performed by each user of the portal and when.

Backup

The remote backup dislocation cuts maintenance costs and saves time by automating security procedures. Your data can be backed up both manually and automatically to the ONLYOFFICE Documents module, a storage of your choice (DropBox, Box, Google Drive, OneDrive, etc.) or a third-party service (AWS S3, Google Cloud Storage, Rackspace Cloud Storage, or Selectel Cloud Storage). Own local drive is offered as an option for temporary manual backup, if necessary. Read more about data backup in ONLYOFFICE

ONLYOFFICE Bug Bounty Program

We want to make our products as reliable and secure as we can, and here’s where the help from external talents can power up our own internal testing efforts. Everyone from professional ethical hackers to aspiring security enthusiasts can take part in our Bug Bounty Program on HackerOne to find and report vulnerabilities and receive fair compensation.
Read more details about how it works in our blog.

Learn more about ONLYOFFICE security measures

White paper

Components and mechanics of end-to-end document encryption in ONLYOFFICE Workspace
Learn more

Blog

What is JWT and how this technology protects your documents?
Learn more

Guides

Reinforcing security. Control access to your portal and monitor all users activity
Learn more
Frequently Asked Questions
  • Does ONLYOFFICE have access to the information about operations with files and data?

    No, such information is not shared with ONLYOFFICE unless exclusive access is provided to our services team. As an owner or administrator of ONLYOFFICE Workspace, you can access Audit Trail log in the security settings and retrieve the information about user actions.

  • Is there a server-side data encryption feature? How does it work?

    You can enable encryption at rest in the server version of ONLYOFFICE Workspace. This action protects your data from possible intruders even if they get access to your machine. Encryption is based on a Encrypt-then-MAC method and encrypts the entire body of data within the ONLYOFFICE Workspace instance and is compliant with AES-256 international data encryption standard.

  • What content protection features does ONLYOFFICE provide?

    You can encrypt document using simple password encryption which will also allow you to manage access to different actions in documents, such as commenting, reviewing, and filling forms. It is possible to restrict copy, downloading, and printing of the files, as well as apply watermarks. You can also encrypt spreadsheets, and apply additional settings to protect separate sheets, lock spreadsheet elements, hide formulas. In Private Rooms, you can encrypt text document end-to-end with the strongest encryption methods and work on them collaboratively in the encrypted form. Among other available tools are watermarks.

  • What user roles does ONLYOFFICE Workspace support and what rights do they have?

    There are following types of user roles available: Guest, User, Administrator and Owner. Owners have full access to all the features and settings in ONLYOFFICE Workspace. Module Administrators have access to selected module configuration and can moderate the module content, while Full Access Administrators can also manage general Workspace settings and its users. In Projects module, you can also appoint project managers who can manage the current project and its members, change settings and moderate various items in a project.

  • Are there audit features in ONLYOFFICE Workspace? What information is included in the access log?

    There is an Audit Trail feature in ONLYOFFICE Workspace. It includes the details about IP, browser, platform, date, user, page, action type, product, and module. You can search, sort, and filter items in the Audit Trail log.

  • Is there automatic backup in ONLYOFFICE?

    There are automatic backup options in ONLYOFFICE Workspace. You can choose the copy location, set up date and time, and define the number of backup copies to be stored.

  • Does ONLYOFFICE Docs instance store any user data?

    ONLYOFFICE Docs processes document editing and conversion, but it does not store any document or user data.

  • What security features does ONLYOFFICE API support?

    ONLYOFFICE Workspace (collaboration platform) API provides methods for managing active connections, audit trail data, login history, authentication and 2FA, IP restrictions, LDAP, SSO, and security settings for Workspace and its modules. Partial access to Private Rooms functionality can also be gained via API. ONLYOFFICE Docs API provides methods for setting up JWT, using watermarks, enabling basic and advanced document permissions.

  • How does the OnlyOffice authenticate each request? How is request authentication supported in the API?

    ONLYOFFICE authenticates POST requests using security tokens. Full information about how requests work can be found in our API documentation.