Total control over data security

We provide a comprehensive range of security tools and services, keeping your data safe on all fronts. Host solutions on-premises, encrypt documents and data, customize access settings, and connect authentication services and manage access rights to protect yourself from unauthorized access, data leaks, and insider actions.

Want to examine the innermost composition of our solutions?

Compliance with data protection regulations

GDPR compliance

General Data Protection Regulation (GDPR) was adopted in order to protect end-users of software, regulating the way companies handle their information when working with EU residents. We respect our users’ right to own and control their personal data, and we created products which are fully compliant with European laws.

Therefore, ONLYOFFICE sticks to data minimalism and we let users know how data is collected, stored, and processed. ONLYOFFICE gives freedom to access, copy, delete, restrict, or move any personal data. If your organization acts as a data controller and provides ONLYOFFICE to end-customers, you get complete access to the procedures through which they can execute their legal rights related to their personal data.

Read more about ONLYOFFICE GDPR compliance
HIPAA compliance

Health Insurance Portability and Accountability Act (HIPAA) requires any organization providing treatment, payment, and operations in healthcare, as well as their business associates and subcontractors who have access to any of their data assets, to protect sensitive patient data according to a set of recognized standards. ONLYOFFICE protects structured and unstructured data both at rest and in transfer, data audits, provides data integrity controls, etc., to provide the mandatory attributes defined by HIPAA and ensure that the customer organization stays fully compliant with the Act.

Read more about HIPAA compliance in ONLYOFFICE


ONLYOFFICE was designed for businesses carrying out sensitive communication and records that, if compromised, may to various extent endanger customers and internal operations. Our range of solutions keeps your services and all assigned data completely within your physical perimeter. We put hardware protection in your hands, allowing you to manually maintain stability and connectivity as your business standards demand.

We provide complete technical support for on-premise deployment and release regular software updates.

Data encryption

Encryption at rest

Breach of data at rest is one of the top digital security risks for organizations working with sensitive data within their infrastructures. To protect the data of your company and your users, you can perform Encrypt-then-MAC type of encryption (AES-256-CBC + HMAC-SHA256) of the entire body of data within the ONLYOFFICE instance. AES-256 encryption type with CipherMode.CBC symmetric algorithm is used for enciphering data on the portal, while SHA256 hashing function paired with HMAC message authentication code screening verify the integrity and authenticity of the encrypted data.

Private rooms

ONLYOFFICE offers additional protection of confidential files with Private Rooms. It is a space where you can store, edit, and share documents in always-encrypted form. Each document is automatically encrypted with randomly generated AES-256 keys that are shared with authorized users by means of asymmetric encryption. Files that are created, stored and shared within a Private Room never leave the directory and cannot be copied, re-distributed, or decrypted. Document encryption and decryption is performed strictly on the user’s machine end-to-end.

Document password protection

You can protect documents with passwords manually to make sure no-one can access your files without receiving a password from you. The documents are protected with AES-256 encryption algorithm, and can be opened in any editor that supports password protection.

Data protection


JSON Web Token (or JWT) protects documents from unauthorized access. This technology secures portal traffic and ensures that users cannot access more data than permitted to them, which is critical in case of external user invitation.

ONLYOFFICE editors request an encrypted signature that is contained in the token. The token is added in the configuration when Document Editor is initialized and during the exchange of commands between inner services (storage service, editing service, command service, and conversion service), therefore validating the right to perform a certain operation with the data.

Document permission management

ONLYOFFICE editors work on the client, moving most of the data load to the individual user’s browser. This approach allows you to create a flexible range of document permission types that include both full access and view-only permissions, and also permissions for exclusively commenting, reviewing or filling forms. Additionally, it is possible to restrict downloading, printing, and copying of documents to block further distribution of content. You can also restrict other users from changing the sharing settings.

Spreadsheet protection

Protect access to data in your spreadsheets and selectively restrict editing of spreadsheet elements:

Encrypt spreadsheets to protect all data and safely share them with trusted users.
Protect workbook or separate sheet from selected actions to keep the contents and structure safe.
Allow editing for specific ranges in a protected workbook or worksheet.
Hide formulas from other users.
Lock spreadsheet elements: cells, texts, and shapes.

You can apply watermarks containing information about the document and the author to protect content rights when the documents are distributed.


ONLYOFFICE allows you to encrypt your traffic using HTTPS protocol, whether you already possess an SSL certificate or not. Upload the existing public keys generated on your server or on its base, or issue the new CA-signed certificate on

Read more about using HTTPS in ONLYOFFICE

Digital signatures

Applying digital signatures to documents helps confirm their integrity and authenticity. In ONLYOFFICE, you can use any certificates to add signatures to documents, request signatures from one or multiple parties, customize signature layout and appearance.

Authentication and portal access control

Two-factor authentication

In the age of electronic fraud and social engineering, we are all vulnerable. Protect the log-in procedure on your portal with dynamic passcodes sent via mobile text messages. The classified data stored in your cloud or server facilities can be easily accessed if your users mishandle their personal passwords. Do not risk it.

We integrated Clickatell, SMSC, and Twilio services to allow the selection of an appropriate SMS package for any team and budget.

Additionally, it is possible to enable two-factor authentication via code generation app (Google Authenticator, Authy, etc.).

Read more about how to use two-factor authentication in ONLYOFFICE
Single Sign-On (SSO)

By choosing Single Sign-On over the classic authentication, you do not let us store any of your log-in data, ensuring it, instead, to one of the trusted global authentication services. ONLYOFFICE is the service provider (SP), while the third-party application acts as the Identity Provider (IdP). Providers verify user's authentication and discreetly keep credentials on their side minimizing the risk of unauthorized acquisition of this data.

Currently, we have three IdPs integrated with ONLYOFFICE to perform Single Sign-On feature: Shibboleth, OneLogin, and AD FS.

Read more about how Single Sign-On works in ONLYOFFICE
Access rights management

The threat of malicious internal action scales with business size and data classification variety, thus necessitating the differentiation of rights.

Users of your private portal can be easily grouped and hierarchized. Set access rights to portal modules and data for each user or group to protect specific data from unwanted attention and insider actions.

Read more about the access rights management
Authentication filtering and monitoring

A customized set-up for log-in criteria allows you to manage specific frameworks for authentication based on your knowledge and concerns. Moreover, all activities can be manually monitored and reported to reveal the potentially fraudulent or harmful behavior.

Trusted mail domains. This option allows you to manually select the mail servers that sign-up emails should belong to. Customized mail domains are also supported.

Password creation criteria. Here you can set the minimum password length and determine whether it must contain certain types of characters - capital characters, digits, or special symbols.

Cookie lifetime. An automatic log-out will be performed after a chosen period of time if this option is enabled.

IP restriction. This setting permits portal access only to chosen IPs.

Login History. With Login History you can view the whole history of successful and failed login attempts and log-offs.

Audit Trail reports track which actions were performed by each user of the portal and when.


The remote backup dislocation cuts maintenance costs and saves time by automating security procedures. Your data can be backed up both manually and automatically to the ONLYOFFICE Documents module, a storage of your choice (DropBox, Box, Google Drive, OneDrive, etc.) or a third-party service (AWS S3, Google Cloud Storage, Rackspace Cloud Storage, or Selectel Cloud Storage). Own local drive is offered as an option for temporary manual backup, if necessary. Read more about data backup in ONLYOFFICE

ONLYOFFICE Bug Bounty Program

We want to make our products as reliable and secure as we can, and here’s where the help from external talents can power up our own internal testing efforts. Everyone from professional ethical hackers to aspiring security enthusiasts can take part in our Bug Bounty Program on HackerOne to find and report vulnerabilities and receive fair compensation.
Read more details about how it works in our blog.