Data Protection & Compliance
Hide Email Addresses and Phone Numbers
You can prevent user email addresses and phone numbers from appearing in the OneSignal Dashboard or data exports.See Handling Personal Data for setup instructions.
SOC 2 Type II & ISO Certifications
OneSignal maintains the following independent security certifications: These audits validate that OneSignal’s internal controls and privacy management systems meet the highest standards for data security and operational integrity.HIPAA
OneSignal complies with HIPAA requirements for customers who manage protected health information (PHI).Learn more in our HIPAA documentation.
GDPR
OneSignal complies with the EU General Data Protection Regulation (GDPR) and helps customers uphold their GDPR responsibilities. Our primary data centers are located in the European Union.See GDPR & Individual Rights for details.
Data Privacy Framework
OneSignal is certified under the EU–U.S. Data Privacy Framework for lawful data transfers between the EU and the U.S.Security Practices
Independent Assessments & Vulnerability Scans
We conduct an annual third-party security assessment and perform quarterly vulnerability and penetration scans.All critical and high-severity findings are remediated promptly.
Workstation Security
All employee workstations include:- Firewall and endpoint protection
- Full disk encryption
- Automatic patch management
Incident Response
We maintain a robust incident response program to rapidly detect, contain, and remediate security incidents.Dedicated Security Organization
OneSignal’s Security Team continuously monitors, triages, and responds to security-related events.Encryption
All customer data is encrypted using industry-standard algorithms, both in transit (TLS 1.2+) and at rest (AES-256).Single Sign-On (SSO)
OneSignal supports SSO through WorkOS, enabling integration with major identity providers.See Single Sign-On.
Two-Factor Authentication (2FA)
Organization administrators can enforce 2-Step Authentication (2FA) for all team members.See 2-Step Authentication.
Personnel Security
All employees undergo background checks and regular security awareness training.Data Governance & Retention
OneSignal acts as a data processor, while customers remain the data controller.- Message data (sent via API or Journeys): retained for 30 days before deletion.
- Dashboard messages: retained until deleted manually.
- User data:
- Retained indefinitely on paid plans until deleted.
- Retained for 18 months of inactivity on free plans.
Data Export
OneSignal provides tools to easily export user and message data.See Exporting Data.
FAQs
How can I or my users opt-out of push notifications?
Users can disable push notifications in the device Notifications settings. For web push notifications, see Unsubscribe from Notifications. For more details, see Subscriptions.What data is collected by the OneSignal SDK?
See Data Collected by the OneSignal SDK.Does OneSignal use cookies?
OneSignal’s Web SDK does not use cookies. It uses Local Storage and IndexedDB for storing client data. You may see a Cloudflare cookie named__cf_bm
. This cookie is:
- Set by Cloudflare (not OneSignal)
- Used to protect against bots
- Classified as a Strictly Necessary cookie that does not require consent under the EU Cookie Law
How should I handle user data in OneSignal?
Follow our best practices in Handling Personal Data.Is OneSignal COPPA Compliant?
OneSignal is certified under the Families Ads Program (as of January 10, 2022). While COPPA compliance is the publisher’s responsibility, OneSignal provides tools to help you collect user consent before data collection or push prompts.See Getting User Consent and this COPPA guide.
How Can I Secure My OneSignal Account?
Follow these security best practices:- Enable 2-Step Authentication and/or Single Sign-On.
- Remove unnecessary Team Members.
- Avoid shared logins; each person should have their own OneSignal account.
- Regularly rotate or delete API keys. See Keys & IDs.
- Reset your password as needed. See Account Management.
Never expose your REST API Keys or App Keys in public repositories or client-side code.
What if my REST API key is compromised?
Immediately delete and rotate your API key.See Keys & IDs for instructions.
What if My App ID Is Exposed?
Your App ID is public and safe to share—it can only be used to create new user records.However, users cannot receive messages unless they’ve subscribed through valid means.
For added protection, enable Identity Verification.
What if a Subscription ID Is Exposed?
A user’s ownsubscription_id
is safe to expose to that user—it can only modify their own data.
However, never share other users’ subscription IDs, as these can be used to send notifications to specific devices.
To prevent impersonation, use Identity Verification.