OCP is designed to meet the highest data security standards. Data entered into the OCP is controlled by the user.

All data entered into the OCP belongs exclusively to the user and the user controls how it is shared. Data will not be shared unless explicitly agreed to by the user or, required by law or order of a court of competent jurisdiction or government department. The OCP does not collect or store any financial data.

FSC can only gain access to the OCP with permission of the user. FSC will not separately store any information entered into the OCP and will also not track, verify or analyze these data records. The authorized user will remain the sole and responsible owner of all data that is entered into OCP.

The customers and suppliers of the user that enters data will only have access to information that is already available to them via the current FSC COC certification program or has been shared with them on invoices and other documentation.  The FSC chain of custody standard already requires that this data is collected and records kept by certificate holders.

The data records can be deleted manually at any time by the user at the users own discretion.

The data in the OCP is hosted with Amazon Web Services (AWS) in their European data centers based in Dublin, Ireland. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24×7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. For a complete list of all the security measures built into the AWS cloud infrastructure, platforms, and services, please read AWS’s security overview.

Thousands of large international businesses use Amazon’s hosting services, including Amazon itself.

Other clients of Amazon can be found here.

FSC does not have access to certificate holders’ accounts or the data in the account, including any information about the certificate holder’s supply chain or transactional information.

User data entered into the OCP by the user can only be accessed by the user and others who have been provided access by the administrator of the account. User permissions are managed by the OCP account administrator from within the OCP service.

Claim data can be viewed by both trading parties to allow confirmation of claims. This is information both parties have exchanged outside of the OCP as part of their trading relationship by way of invoices or other documentation.

FSC, the OCP support team and certification bodies do not have access to user accounts and data entered unless granted  access by the user. The only situation where FSC might be granted access by the user is when the user has a question or a problem with their OCP  account and needs to provide access to address the problem. This means that the OCP support team will have access to data only with the permission and knowledge of the user.

In case of certification bodies, information can only be accessed after agreement between the certificate holder and the certification body.  Only at this point will the certification body be able to view the information in the OCP, even though they are currently allowed to access this type of information through audits, namely FSC claims sent to customers and those received from suppliers.

For more details check out the full Terms and Conditions.

The master databases are backed up hourly to Amazon S3. A rolling history of 10,000 backups are kept.

The OCP system is built from generic virtual machines and designed so that the loss of any single machine will not result in downtime. Each server is built from a standard and can be rebuilt, on demand within minutes.

The OCP has been designed to operate across multiple data centers; the loss of a single data centre should not result in downtime.

An independent service provided by Pingdom.com is used to monitor system uptime and response time from a number of locations around the globe, click here for details.

Anomalies are reviewed to determine if they are indicative of a security event. Events are reported, investigated, escalated, and corrected to enable a rapid return to normal business operations. The process covers event detection and response and vulnerability management.

Read more on legal considerations and data privacy here.