Company Insights

OSPN supplier relationships

Explore interactive graphBrowse insights index
OSPN supplier relationship map

OneSpan (OSPN): Supplier relationships that reshape a digital-identity vendor

OneSpan builds and monetizes a cross-channel security stack for financial services and regulated enterprises through a mix of software subscriptions, SDK licensing, hardware token sales (Digipass) and professional services. Revenue comes from recurring SaaS/maintenance contracts and one-time device or integration fees, with the company supplementing organic growth via targeted acquisitions that expand mobile and passwordless capabilities. Investors should view OneSpan as a hybrid software-hardware supplier whose growth strategy is driven by product-led deals and bolt-on M&A.

For a strategic view of OneSpan’s supplier and partner footprint, explore NullExposure’s supplier mapping: https://nullexposure.com/.

Recent relationships that matter to investors and operators

OneSpan’s public disclosures and press coverage over FY2025–FY2026 identify three relationships that change how customers consume its platform: a channel/implementation partnership in Japan and two acquisitions that extend mobile and passwordless authentication capabilities.

SCSK Corporation — channel/implementation win in Japan

OneSpan’s cloud-based FIDO authentication was implemented by SCSK to protect a major Japanese trust bank against phishing, demonstrating a regional channel deployment and market traction in APAC. BiometricUpdate covered the deployment in late 2025, noting statements from SCSK executives about the strength of the partnership (BiometricUpdate, Nov 2025).

Build38 — strategic acquisition to harden mobile apps

OneSpan signed a definitive agreement to acquire Build38, a Munich-headquartered mobile application protection specialist spun out of Giesecke+Devrient, to integrate RASP and SDK protections into OneSpan’s mobile offerings and address rising mobile-channel attacks. Multiple outlets reported the deal in early 2026, framing it as a capability buy to accelerate mobile security for banks and e-wallets (Pulse2, Mar 2026; BiometricUpdate, Jan 2026; Finviz, Mar 2026).

Nok Nok Labs Inc. — completing the passwordless stack

OneSpan acquired longtime partner Nok Nok Labs in June 2025 to embed FIDO biometric authentication across its platform, aligning e-signature, digital banking flows and passwordless authentication into a single stack. The acquisition was noted in coverage that highlighted OneSpan’s goal of making passwordless authentication a standard for e-signatures and banking transactions (BiometricUpdate, Jan 2026; Pulse2, Mar 2026).

What these relationships mean for OneSpan’s operating model

These relationships expose three strategic traits of OneSpan’s operating and supplier posture:

  • Acquisition-led capability buildup: Two of the highlighted relationships are acquisitions (Build38, Nok Nok), indicating OneSpan uses M&A to close capability gaps—particularly in mobile app protection and FIDO passwordless authentication—rather than waiting for slow internal development.
  • Channel expansion in APAC: The SCSK implementation is a clear regional channel execution that supports growth outside North America, relevant for revenue diversification.
  • Hybrid product mix requiring manufacturing and partner orchestration: The business still sells hardware tokens (Digipass) alongside software, implying dual operational tracks—device supply and cloud/SaaS delivery.

For procurement and risk teams, this mix implies both recurring revenue stability from software and discrete supply risk from hardware. Learn how supplier relationships translate into measurable exposure at https://nullexposure.com/.

Company-level constraints that shape supplier risk

Public excerpts in OneSpan’s disclosures provide direct signals about supplier contracting and manufacturing that investors must fold into any exposure assessment:

  • OneSpan’s purchase obligations include other software agreements that typically run 1–3 years, indicating a contracting posture weighted to short-term commitments rather than long-term locked-in supplier contracts. This supports flexibility in supplier sourcing but increases renewal and switching risk.
  • Hardware assembly is concentrated: OneSpan states that Digipass devices are assembled by four independent factories in China and one in Romania, producing a geographic concentration across APAC and EMEA. This raises supply-chain and geopolitical exposure while leaving the company with limited on-shore redundancy for token manufacturing.
  • The company explicitly relies on third-party manufacturers for Digipass devices; this is a manufacturer-role relationship that creates operational criticality for those outsourced factories and requires active vendor management across jurisdictions.

These are company-level signals, not relationship-specific claims. Investors should translate them into procurement actions: insist on multi-region sourcing clauses, verify inventory and lead-time disclosures, and price in potential sourcing shocks.

Investment and operator implications — read this if you manage supplier risk

  • Upside: OneSpan’s acquisitions materially strengthen mobile and passwordless differentiation, accelerating cross-sell into existing banking customers that value SDK-level protections and FIDO authentication. The move reduces time-to-market for capabilities that directly increase ARR retention and deal size.
  • Risk: Hardware manufacturing concentration in China and Romania creates tangible supply disruption risk for device-dependent customers, and short-term supplier contracts increase the probability of pricing pressure at renewals.
  • For operators and procurement teams: Require rolling forecasts, audit rights, and dual-sourcing where devices are critical to service delivery; for investors, stress-test scenarios where device shortages or regional trade frictions impact revenue recognition.

If you’re mapping exposure across suppliers and counterparties, NullExposure provides tools and dossiers that accelerate that work: https://nullexposure.com/.

Final read: tradeoffs and monitoring signals

OneSpan’s current supplier footprint and M&A activity present a clean strategic tradeoff: faster capability expansion and deeper enterprise value in mobile/passwordless, at the cost of continued reliance on outsourced hardware manufacturing and short contract tenors for non-core software services. For investors, the investment thesis rests on continued SaaS migration and successful integration of Build38 and Nok Nok into the platform; for operators, the focus is supplier governance and contingency planning for device assembly nodes in APAC and EMEA.

Key monitoring signals for the next 12 months:

  • Integration milestones and cross-sell metrics for Build38 and Nok Nok.
  • Disclosure on manufacturing lead times and multi-factory sourcing for Digipass.
  • Renewal cadence and pricing trends for 1–3 year software agreements.

Bottom line: OneSpan is a growth-oriented, acquisition-augmented security vendor with improving product breadth and tangible supply-side exposures that procurement teams must actively manage.

For deeper supplier maps and relationship risk scoring, visit NullExposure: https://nullexposure.com/.