OfficeSpace Software – Secure by Design

Updated: February 23, 2026

Overview

OfficeSpace Software is a cloud-native Software as a Service (SaaS) platform focused on workplace management. As a steward of customer workplace operational data, we design and operate our services with security embedded into processes, architecture, and engineering practices.

In alignment with the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge, OfficeSpace has assessed its existing controls and is working to demonstrate measurable progress against each of the seven pledge goals over time.

Secure by Design Practices

Multi-Factor Authentication (MFA)

What we do today:

  • MFA is mandatory for all internal OfficeSpace employees and administrators.
  • Customers may enforce MFA via SSO integrations (SAML, Google Workspace).
  • Administrative roles require phishing-resistant MFA.

No Default Passwords — Ever

What we do today:

  • OfficeSpace does not use default, shared, or manufacturer passwords.
  • Strong password policies and unique credentials are enforced.

Reducing Entire Classes of Vulnerabilities

What we do today:

  • SDLC integrates SAST, DAST, threat modeling, peer review, and OWASP-aligned frameworks.
  • These practices reduce entire categories of vulnerabilities such as SQLi and XSS, and more. 

Security Patching and Updates

What we do today:

  • OfficeSpace manages all platform patches and updates.
  • Risk-based patch timelines are enforced (Critical: 0–15 days, High: 0–30 days, etc.).
  • Customers do not need to deploy or maintain patches.

Vulnerability Disclosure Policy (VDP)

What we do today:

  • Our VDP includes safe harbor, scope boundaries, and a reporting channel.
  • Unauthorized scanning of production systems is prohibited.

Where we are improving:

  • Publishing the VDP publicly.

CVE Transparency

What we do today:

  • As a SaaS provider, OfficeSpace does not distribute software, and CVEs reporting generally not applicable.
  • Vulnerabilities are tracked and validated through internal SAST, DAST, WAS, tests, as well as external penetration testing. 

Evidence of Intrusions and Logging

What we do today:

  • Centralized logging and monitoring are in place.
  • SIEM tools aggregate logs across infrastructure, app layers, and authentication.
  • Incident response procedures govern investigation and customer notification.

Shared Responsibility Model

OfficeSpace is responsible for platform security including patching, monitoring, authentication controls, and infrastructure security.

Customers are responsible for configuring their own identity provider settings, MFA policies, access controls within their organization, and internal data governance.

Related Documentation

The following documentation is available to authorized customers and prospects in our Trust Center:

  • SOC 2 Type II
  • CSA STAR level 1
  • Information Security Policies
  • SDLC documentation
  • Access Control, Patch Management, Logging, and Incident Response Standards
  • Prefilled Vendor Security Assessment (VSA) questionnaire

Access: https://trust.officespacesoftware.com 

Contact

For questions or to report a potential security concern:

[email protected]