Is data deleted completely when deleted from the application?
Yes; and after two weeks it is gone from all backups.
Can your service organization provide its most recent Service Organization Control (SOC) 1 and/or 2 Reports, related to design and effectiveness of financial reporting controls?
Yes, via Microsoft Azure Trust Center.
How do you comply with PCI DSS 3.0/HIPAA/Sarbanes-Oxley regulations?
PCI is handled through our billing administrator, Avangate (now merged into 2checkOut). We do not work with HIPAA data.
What level of technical support is included in your standard license agreement?
We provide free email support to all subscribers, and 7am – 7pm US/Pacific phone support.
In the event of an interruption of your service, what is your process for notifying customer operations of the circumstances of the interruption or outage and the expected recovery time?
The process in place, though never needed, sends an email to subscription owners.
Do you have a documented process for how system, application and data backups are performed?
Is backup media containing confidential information encrypted and stored in a locked container during transport?
Yes. TLS1.2 is used to encrypt all data transmitted across the Internet.
Does MyObjectives have a dedicated security team?
Yes: 3.0 FTE
What is your backup & recovery SLA? What are the actual results/metrics vs. the SLA for the last 12 months?
1 hour recovery point objective; 4 hour recovery time objective. We have a 99.95% uptime for the period of 3/6/2017 thru 3/5/2018.
Does your organization utilize the OWASP Testing Guide and/or OWASP Code Review Guide to effectively find vulnerabilities in your service / application (with the intent of remediating identified vulnerabilities)?
OWASP is a fine methodology, but certainly not the only approach that guides development teams.  Alliance Enterprises has developed it’s own approach over the course of the 3.5 decades we have been authoring software.
Do you support SAML 2.0 for user authentication?
Support for SAML 2.0 is supported by our authentication mechanism.
How do you secure access to your data facilities where customer data will be stored?
Microsoft Azure services are used, so we refer you to their GDPR compliance documentation at

What are your terms when it comes to ownership of data? How about any metadata I generate while using the application?
All data you input into MyObjectives is your data. Our terms of service spell out how and for how long your data is available to you should you terminate your subscription.
Can you verify that *all* API unit calls are both 1) authenticated (by managed key or OAuth) and 2) encrypted (by 128-bit or greater encryption)?

Do you offer API access? Are there any extra charges to access API? What form do the APIs take?
At this time we do not offer API access to our underlying data model. Support is available for custom access to input meter and measure information into our software.
How and when will you notify me about any scheduled maintenance?
Our application has built-in notification functionality that we use to announce upcoming maintenance windows well in advance of any scheduled down time.

How can I contact you to get more information about unscheduled or extended downtime?
Our toll-free support line and support email address are available for contacting us about any questions you might have.
Approximately, how often do you upgrade your application?
Approximately every two weeks.

Will these upgrades impact my use of the application, and if so what time of day and for how long?
How a maintenance window will impact our customer base always drives our timing and duration decisions and allowances. It is the nature of globally-applicable software services that someone, somewhere in the world will experience a brief period of service unavailability during any given maintenance period.

Does your organization scan and/or test for vulnerabilities in your service / application, and if so, how quickly are any identified vulnerabilities remediated?
Yes: Testing is a continuous effort that leads to uncovering vulnerabilities. Depending upon the severity of the vulnerability, we may issue a HotFix release that very night.

Are your systems subjected to penetration testing?

Is there a formal procedure for reporting a suspected security violation?
Internally, yes.