OCP is designed to meet the highest data security standards. Data entered into the OCP is controlled by the user.

All data entered into the OCP belongs exclusively to the user and the user controls how it is shared. Data will not be shared unless explicitly agreed to by the user or, required by law or order of a court of competent jurisdiction or government department. The OCP does not collect or store any financial data.

FSC can only gain access to the OCP with permission of the user. FSC will not separately store any information entered into the OCP and will also not track, verify or analyze these data records. The authorized user will remain the sole and responsible owner of all data that is entered into OCP.

The customers and suppliers of the user that enters data will only have access to information that is already available to them via the current FSC COC certification program or has been shared with them on invoices and other documentation.  The FSC chain of custody standard already requires that this data is collected and records kept by certificate holders.

The data records can be deleted manually at any time by the user at the users own discretion.

The OCP is developed and maintained by Historic Futures Ltd, which operates a comprehensive Information Security Management System (ISMS). The OCP software itself is periodically security tested by an expert independent third party.


We know that it’s important for you to understand the protection measures that are used to guard the data in the OCP. But since you can’t physically touch the servers or walk through the data centers, how can you be sure that adequate security controls are in place?

The answer lies in the third-party certifications and evaluations that both Historic Futures and AWS have undergone. Both Historic Futures and AWS have achieved ISO 27001 certification, the most recognized standard for establishing, implementing, maintaining and continuously improving information security.

To read more on infomation security for the OCP please read Historic Futures information security overview.

The data in the OCP is hosted with Amazon Web Services (AWS) in their European data centers based in Dublin, Ireland. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24×7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. For a complete list of all the security measures built into the AWS cloud infrastructure, platforms, and services, please read AWS’s security overview.

Thousands of large international businesses use Amazon’s hosting services, including Amazon itself.

Other clients of Amazon can be found here.

FSC does not have access to certificate holders’ accounts or the data in the account, including any information about the certificate holder’s supply chain or transactional information.

User data entered into the OCP by the user can only be accessed by the user and others who have been provided access by the administrator of the account. User permissions are managed by the OCP account administrator from within the OCP service.

Claim data can be viewed by both trading parties to allow confirmation of claims. This is information both parties have exchanged outside of the OCP as part of their trading relationship by way of invoices or other documentation.

Historic Futures, FSC, the OCP support team and certification bodies do not have access to user accounts and data entered unless granted  access by the user. The only situation where FSC might be granted access by the user is when the user has a question or a problem with their OCP  account and needs to provide access to address the problem. This means that the OCP support team will have access to data only with the permission and knowledge of the user.

In case of certification bodies, information can only be accessed after agreement between the certificate holder and the certification body.  Only at this point will the certification body be able to view the information in the OCP, even though they are currently allowed to access this type of information through audits, namely FSC claims sent to customers and those received from suppliers. 

 For more details check out the full Terms and Conditions.

The master databases are backed up hourly to Amazon S3. A rolling history of 10,000 backups are kept.

The OCP system is built from generic virtual machines and designed so that the loss of any single machine will not result in downtime. Each server is built from a standard and can be rebuilt, on demand within minutes.

The OCP has been designed to operate across multiple data centers; the loss of a single data centre should not result in downtime.

An independent service provided by Pingdom.com is used to monitor system uptime and response time from a number of locations around the globe, click here for details. FSC has an service level agreement in place with Historic Futures governing system response times.

In line with Historic Futures ISMS, periodic security testing of OCP is undertaken by an independent third party, the current service provider is NCC Group.

The Historic Futures information security policy sets baselines for monitoring mechanisms to identify security trends and detect anomalies. Anomalies are reviewed to determine if they are indicative of a security event. Events are reported, investigated, escalated, and corrected to enable a rapid return to normal business operations. The process covers event detection and response and vulnerability management

To read more on infomation security for the OCP please read Historic Futures’ information security overview.

Read more on legal considerations and data privacy here.