You and your customers’ privacy is important to us, and maintaining your trust is one of our highest priorities. The OneSignal product & policy teams have been busy making the platform and product more secure for you and your users.  We’re excited to announce that OneSignal is now officially Privacy Shield Certified and we’ve shipped 🚢  a handful of security features, including two-factor authentication, to all users.

Privacy Shield

What does Privacy Shield Certification mean?

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively. The framework provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.  This ensures that the US and EU based companies are compliant with GDPR provisions when using OneSignal.  Please note GDPR requires organizations to have a written, signed agreement to fulfill GDPR data protection obligations, as explained by Privacy Shield and summarized at Supplemental Principle 10 (Obligatory Contracts for Onward Transfers).  

You can read more about Privacy @ OneSignal, OneSignal’s Privacy Policy, as well as view OneSignal's Privacy Shield certification listing.  

New Security Features

Two Factor Authentication
Two Factor Authentication (2FA) confirms your identity when you log in to OneSignal with both your password and a one-time code from a paired Authenticator app. This makes your account much more secure and is the standard for secure login.

By requiring two pieces of information: something they know (password) and a second factor other than something you know (such as a code from an application, a fingerprint, etc.), two-factor authentication is how financial institutions, major companies, and others secure confidential information.

You can use common 2FA authenticator apps such as Authy, Google Authenticator, Microsoft Authenticator, and more. And we’ve made 2FA available for free to all accounts to help businesses of all sizes be better protected.

Of course, you can also use a Google or Facebook login with 2FA as well if you manage user accounts that way.

Just click on 'Account and API Keys'

Then click 'Enable' under "2 Step Authentication"

Step-by-step instructions are here.

Email Updates for Account Changes
We’ll now email you anytime your user authentication token is reset or your password is updated to keep you apprised of any suspicious activity as soon as it happens.

User Authentication Key Reset
Your user authentication key lets you do a lot - from creating applications to sending messages and accessing data via API. Now, it is hidden by default, and viewing it or resetting your password will disable the previous key. We’ll also email you so you can stay on top of your account.

Bad Password Prevention
Every time you somebody changes their password or creates a new account, we now check it against a continually-expanding list of over 11 GB of compromised passwords and we’ll require you to pick a password that hasn’t been found in common lists of compromised accounts. And if you have an account already, we’ll block login until you choose a more secure password.

At OneSignal, we know that world-class data security is critical for businesses, and we're committed to delivering the highest levels of performance and security to all users.

If you have questions about data protection or security, you may contact us at