Trust Center

We train the drug & alcohol testing industry on privacy and compliance — so we hold our own platform to the same standard. Here is how we protect trainee, employer, and C/TPA tenant data.

Encrypted in transit

Your connection to us is encrypted, so information stays private as it travels between you and our platform.

Protected access

Administrative access requires multi-factor authentication, and every account is granted only the access it needs to do its job.

Sensitive data minimized

We limit what we collect and keep test results, medical details, and personal information out of our diagnostic logs.

Customer isolation

Each customer's records are kept separate, so one organization's information stays with that organization.

Our commitment

We teach the drug-and-alcohol compliance industry how to protect sensitive information the right way, and we hold ourselves to that same standard. TestRight Academy handles trainee identities and progress, employer program records, and testing-program data. We build and operate the platform so that only the people and systems that genuinely need a piece of data can reach it.

Data protection & encryption

  • Connections to our services are encrypted in transit, so information stays private as it moves between you and us.
  • Sensitive customer records — trainee accounts, progress, purchases, and certificates — are kept in protected storage that is not directly reachable from the public internet.
  • Credentials and configuration are kept separate from the data they protect.
  • We follow the principle of least privilege: access to systems and data is limited to what each role or system actually requires.

Access & authentication

  • Account credentials are stored using industry-standard protections, never in plain text.
  • Administrative access requires multi-factor authentication, with additional verification for the most sensitive actions.
  • Access is granted on a least-privilege basis and reviewed over time.
  • Public forms are protected by automated bot-protection controls to help keep out automated abuse.

How we handle the most sensitive data

Sensitive information is designed to be excluded from our diagnostic logs. Our monitoring systems are built to strip out credentials, payment data, drug-test results, medical information, and personal details before anything is recorded. In logs, we avoid recording names or emails, referencing users by opaque identifiers instead.
  • Drug-test results and medical information are treated as confidential and are only accessible to the people your program authorizes.
  • We minimize the personal information we collect and avoid exposing it where it isn't needed.
  • Card payments are handled by a PCI-DSS compliant payment provider; we never store full card numbers.

Customer data isolation

Each customer's data is kept separate, and our systems are designed so that one organization's records stay accessible only to that organization.

Monitoring & security reviews

  • We perform periodic internal security reviews across our applications and infrastructure, and address what we find.
  • Our systems are continuously monitored, and unusual or error conditions are surfaced to our team for prompt investigation.

Backups & continuity

Critical data is backed up on an automated, rotating schedule so we can recover from disruption.

Data retention & your rights

  • Diagnostic logs are retained only for a limited period and then pruned on a rolling schedule.
  • You can request access to, correction of, export of, or deletion of your data — email info@osegroupusa.com. See our Privacy Policy for details.

Incident response

If we become aware of a security incident affecting your data, we will investigate promptly, contain and remediate it, and notify affected customers as required by law.

Report a security issue

Found a potential vulnerability or have a security question? Email info@osegroupusa.com. We appreciate responsible disclosure and ask for reasonable time to investigate before any public sharing.

This page describes our current practices and is provided for transparency; it is not a contract or warranty. Security is a shared responsibility — protect your account credentials and enable available protections. Last updated July 2026.