Data & Information
- At Rest: We only store your data in our production environment. Your data is encrypted with AES-256.
- In Transit: All network communication uses TLS v1.2+ and is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. HTTP Strict Transport Security (HSTS) with long duration is enforced. Qualys' SSL Labs scored our SSL implementation as "A+" on their SSL Server test.
Our backup processes ensure data and information consistency with highest standards. Multiple backups are taken per day with a 7 day retention period.
Passwords are not stored on any of our servers. Passwords are hashed (and salted) securely through our authentication partner, Auth0 (which has multiple compliance certifications ranging from ISO27001 to HIPAA).
Your data will never leave the US. Not in the US? We partner with iubenda to comply with all GDRP requirements.
Credit card and payment information is not stored on our servers. All payments made to TeamFlow® go through our payments partner, Stripe (which is PCI compliant).
We currently support SSO with multiple identity providers through our authentication partner, Auth0 (OIDC/OAuth 2.0, SAML 2.0, etc.).
Account Verification for Non-SSO Users
Users are required to validate their accounts via an automated e-mail with a verification link.
Our cloud provider is Google Cloud. We leverage cloud native tools to manage firewall rules, threat detection and DMZ enforcement.
We leverage cloud native tools that manage patching on our virtual machine clusters on a routine basis.
We capture logs, events, and metrics through our partner Sentry. For security vulnerability scanning, we use HostedScan for 24x7 alerts and detection. As well as leveraging native monitoring tools through our cloud partner.
We log every action performed in the system.
Disaster Recovery and Business Continuity
We use TeamFlow® (yes, we use our own product ☺) to document our Disaster Recovery and Business Continuity plans. We perform routine exercises of these procedures which guarantee uptime and system availability.
Periodic independent third party penetration tests are performed.
Security and confidentiality incidents submitted to firstname.lastname@example.org or our in-app support chat will be resolved in accordance with established incident policy.
Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications. Additionally, we use our partner Elastic Cloud to monitor service uptime.
Move Fast, Break Nothing
We use formal software development lifecycle methodology and best practices in change management procedures. All releases are versioned using Semantic Versioning. Latest updates and release history can be found here.
Monthly risk assessments are performed to ensure the applications are secure and adhering to best practices.
We carefully review our vendors and partners to ensure adherence to our security and compliance requirements.
We keep our list of data subprocessors as up-to-date as possible. Please review our list of data subprocessors here.
An individual's level of access is determined by their job role. We practice a policy of least privilege access. We perform regular logical access reviews and remove access immediately if it's no longer required.
TeamFlow® uses Google Cloud Shell for activities that require sensitive privileged access. This is additionally secured with Cloud Identity and Access Management (IAM).
MFA is enforced for every individual with logical access and required on every third party service that touches our environment.
Our personnel's devices are registered with our asset inventory and secured with antivirus software, device blocking and security patches.
Evaluation & Training
We perform background checks and require confidentiality agreements with all of our personnel. Additionally, we require yearly Security Awareness Training (SAT) certification.