New
Request a Demo

Object First Trust Center

Object First is committed to Secure by Design principles as defined by CISA, third-party independent penetration testing, and Zero Trust Data Resilience (ZTDR). This Trust Center provides clear, transparent information about our security practices, privacy alignment, and the architectural foundations that make Object First Simply Resilient.

Key Validation Sources

  • Security Validation
  • Asset Description
Security Validation
CISA Secure by Design Pledge
Asset Description
Object First has signed the pledge as a public commitment to continuously improve the security of our products and services and to build a safer business ecosystem for partners and customers.
Asset Description
Annual third-party penetration validates the security of Object First products, including external attack surface, configuration hardening, and resilience controls.
Asset Description
An in-depth guide to applying Zero Trust principles to backup storage to ensure complete ransomware resilience.
Asset Description
An outline of the necessary requirements to guarantee the ultimate defense against ransomware that prevents destructive actions of any kind towards the backup data.
Security Validation
Cohasset Report & Summary
Asset Description
Independent validation that Object First can help customers meet key Financial Services regulations, including SEC Rule 17a-4(f) and FINRA Rule 4511(c).
Asset Description
Independent research and analysis demonstrating how Object First strengthens ransomware resilience, reduces operational risk, and aligns with Zero Trust Data Resilience principles.

Vulnerability Reporting

Object First maintains a transparent, responsible vulnerability disclosure process. If you have a security concern involving an Object First product or website, read our Vulnerability Reporting Policy and report it to [email protected]. The security team will conduct a thorough investigation of each report and take appropriate action for resolution as needed.

How Object First Implements Zero Trust

The Zero Trust maturity model, pioneered by agencies like CISA and NIST, has become the gold standard for modern software security. The Zero Trust maturity model is a security framework that assumes no entity is trustworthy by default and mandates continuous verification of all users, devices, and applications within an organization. Object First adheres to the Zero Trust Maturity Model across internal development and IT practices, as well as within our solution design, ensuring our customers have a Zero Trust-ready appliance that will not weaken their existing security architecture. We take this a step further by also following the ZTDR framework.

Zero Trust Data Resilience

The Zero Trust Data Resilience (ZTDR) framework, introduced by Veeam and Numberline Security, defines how organizations secure backup software and backup storage, so recovery remains possible even when operating under Assume Breach conditions. ZTDR applies Zero Trust principles directly to backup infrastructure and is built on three pillars:

  • Segmentation: Strict separation of backup software and backup storage to reduce the attack surface.
  • Multiple Data Resilience Zones: Support for the 3‑2‑1-1-0 Rule and multilayered security domains.
  • Immutable Backup Storage: Zero Access to destructive actions, even for privileged administrators.

Object First appliances comply with Zero Trust and ZTDR principles and will continue to meet the requirements of both models.

  • Segmentation

    Strict separation of backup software and backup storage to reduce the attack surface.

  • Multiple Data Resilience Zones

    Support for the 3‑2‑1-1-0 Rule and multilayered security domains.

  • Immutable Backup Storage

    Zero Access to destructive actions, even for privileged administrators.

Absolute Immutability

Object First enforces immutability at the storage layer using S3 Object Lock. Backup data becomes immutable the moment it is written, on a physical storage appliance, with no administrative override. This ensures that even during a ransomware attack, backup data remains intact.

Achieving Absolute Immutability through Zero Access requires adherence to three core principles:

S3 Object Storage
A fully documented, open standard with native built-in immutability that enables independent penetration testing and verification.
Zero Time to Immutability
Backup data must be immutable the moment it is written.
Target Storage Appliance
A dedicated target storage appliance segments storage from backup software, and removes the risks associated with DIY self-managed backup storage during operations—particularly during setup, updates and maintenance. It requires little-to-no security expertise from a customer and shifts full responsibility to a vendor.

Zero Access Architecture

Allows Zero Access to perform destructive actions against the firmware, OS, storage application, or backup data to maintain a least-privileged Zero Trust approach:

  • No root access
  • SSH disabled by default
  • Controlled TUI access only
  • Hardened Linux OS
  • Continuous verification of expected configurations

Operational Safeguards

Object First reduces operational risk by eliminating the need for custom hardening, manual integration, or specialized security expertise via:

  • Automatic firmware, OS, and software updates
  • Configuration drift monitoring
  • Fail‑to‑ban lockout for repeated failed logins
  • Honeypot‑based ransomware detection

FAQ

Is Object First CCPA compliant?
Object First’s Privacy Policy aligns with the principles of the California Consumer Privacy Act (CCPA) in how we handle and safeguard our customers’ data as a supplier. The Object First appliance does not process consumer personal data on behalf of Object First, but it supports CCPA‑aligned practices by helping customers prevent unauthorized access to the data stored in their backups when paired with strong encryption and immutability controls.
Is Object First GDPR compliant?
Object First aligns with the principles of the General Data Protection Regulation (GDPR) in how we handle and safeguard our customers’ data as a company. While the Object First appliance does not process end‑user personal data itself, it strengthens GDPR-aligned practices by helping customers prevent unauthorized access or exfiltration of the data stored in their backups—especially when used with end‑to‑end encryption and immutability controls.
Does Object First support NIS2 requirements?
Object First aligns with NIS2 expectations for data resilience, segmentation, immutability, and secure‑by‑design architecture, supporting EU organizations in meeting their cybersecurity obligations.
How does Object First help organizations comply with DORA?
Object First aligns with the EU’s DORA (Digital Operational Resilience Act) regulation for financial institutions by supporting the regulation’s core resilience requirements across Articles 6, 9, 10, 11, 12, and 13, delivering absolutely immutable, segregated, and verifiable backup data that cannot be modified or deleted by any administrator or attacker. These controls help financial entities maintain clean recovery points and restore operations quickly under severe ICT disruption.
How will Object First help organizations comply with the CSR Bill?
Object First aligns with the intent of the forthcoming UK Cyber Security and Resilience Bill by ensuring backup data remains tamper‑proof and rapidly recoverable through Absolute Immutability and Zero‑Access protection, directly supporting the Bill’s focus on operational resilience and clean, authoritative recovery data.
How does Object First help organizations comply with FINRA?
Object First aligns with FINRA by delivering non-rewriteable, non-erasable storage that supports the core requirements of FINRA Rule 4511(c) and SEC Rules 17a‑4(f) and 18a‑6(e), ensuring regulated records remain immutable, intact, and fully recoverable, as verified in the Independent Compliance Report by Cohasset Associates.