TruSTAR's Security Policy
Effective: January 11, 2018
We're a security company that manages important information from our customers. Security is a fundamental expectation for our product, services and our team members.
We perform background checks on employees prior to starting with our company. During onboarding, new employees review and sign our company security policy and confidentiality agreements. Employees are responsible for reviewing and agreeing to all future updates to both policies.
Access to sensitive data is tightly controlled and provided to employees on need-to-know basis that implements strong least-privilege access. Logins are protected using two-factor authentication and all administrator activity is logged to our centralized logging and monitoring system which is configured to generate alerts of unauthorized behavior.
Our customer data is our most critical asset and we enforce strict controls for its access, backup and retention. Customer data is only stored in our production infrastructure, it is never used in testing / staging environments or stored on employee devices. Customers who exit our service have their data removed from the production environment. Employee access to customer data is exclusively for maintenance, credentialing, and support, is routinely audited, and based on need to know criteria.
Customer information is protected using strong encryption during transmission across the Internet and while at rest on our servers. All Internet communications to our service use HTTPS/TLS with strong algorithms and unique certificates. Data at rest is encrypted using AES-256, with decryption keys stored using guidelines consistent with NIST 800-57 and FIPS 140-2 algorithms.
Our infrastructure is hosted on AWS, allowing us to leverage their exceptional security controls for physical access, network protection and configuration control. Our deployment uses isolated virtual private cloud networks that are further segmented by internal security groups. Access for cloud configuration requires two-factor authentication. All changes to the infrastructure are logged and monitored.
Our computer systems are configured to perform automatic security patching wherever possible to limit their exposure to new security vulnerabilities. Employee computers are secured according to our computer lockdown process, which is regularly updated to make sure new security features are enabled. Our online servers are regularly scanned for security issues and updated to ensure that they comply with our security requirements.
System activity on our cloud infrastructure is logged to a centralized logging and monitoring system. This allows our engineers to keep an eye on the overall health of the system and provides a mechanism to quickly identify and alert on security issues. Security alerts are configured to alert both our security team as well as the engineer responsible for the system reporting the problem, allowing them to work together as part of the incident management process.
We maintain, review and periodically update our incident management and response plan. The plan gives us a structured process for efficiently verifying, mitigating, and responding and recovering from security incidents. In addition, technical teams build and maintain specialized security detection and response capabilities that are tailored to the technologies they control.
External Security Audits
We put a lot of effort into our security and use third party reviewers to periodically kick the tires. The audit process is useful for testing our detection and response capabilities as well and surfacing security issues. The audit process includes reviews of both our online / internal infrastructure as well as reviews of our internal processes and procedures.
If you've discovered a security issue with our service, or would like to discuss our processes with the security team contact firstname.lastname@example.org.
This security statement was updated on January 11, 2018.