Table of Contents
2. Transmission Control
3. Input Control
4. Availability Control
5. Development Best Practices
6. Compliance & Certification
Access Control
Preventing Unauthorized Product Access
Authentication
A uniform password policy has been implemented for our customer products:
- Minimum length of 8 symbols
- Password must contain at least one uppercase letter, one lowercase letter, and one digit
We also provide SSO authentication options using Google so users can enable multi-factor authentication using those methods.
Customers who interact with Termly Services via the user interface must authenticate before they can access non-public customer data.
Authorization
We store customer data in secure storage systems. Users can’t directly access the underlying application infrastructure. Access to sensitive data is role-based (on a “need to know” basis), only for specific purposes.
Separation of environments
We separate development, testing, and operational environments to minimize the risks of unauthorized access or changes to the operational environment.
Employee access
A limited number of our trained employees have access to customer data via controlled interfaces. The purpose of enabling employee access is to provide efficient customer support, detect and respond to security incidents, troubleshoot potential problems, and facilitate data security.
Employees are granted access by role, and all such access requests are logged. Only a few designated employees have access to the infrastructure. Termly employees do not have physical access to customers’ databases. All employees receive privacy and security training during their onboarding process and as a requirement for continued employment.
Access to critical and sensitive data is role-based (on a “need to know” basis), only for purposes of performing services’ functions, and is revoked immediately for terminated employees.
Preventing Unauthorized Infrastructure Access
Physical and environmental security
Our product infrastructure is hosted with multi-tenant, outsourced infrastructure providers. Their physical and environmental security controls are audited for a broad set of standards and compliance regulations.
See https://aws.amazon.com/compliance/ for more information.
Third-party processing
In order for us to provide our customers with the Service in accordance with our DPA, we maintain contractual relationships with vendors. This includes contractual agreements, privacy policies, and vendor compliance programs. Vendors are vetted for privacy and security compliance during the vendor assessment process.
Network security
Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The implemented technical measures differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. We have implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Transmission Control
Data is encrypted while in transfer
We use tested and proven secure encryption protocols and disable obsolete and vulnerable ones. All access to the product requires secure connections.
Password data encryption
Password data is stored as a salted one-way hash using modern algorithms.
Input Control
Detection
We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our staff, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking
We maintain a record of known security incidents that includes descriptions, dates, and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. We will notify our customers in accordance with the Terms of Service.
Availability Control
Infrastructure availability
Termly is hosted on a logically separated and distributed AWS cloud infrastructure. We do experience downtime events when AWS infrastructure does, but those are infrequent and usually limited to a handful of specific services.
All system and infrastructure downtime events are logged and researched by the infrastructure and software teams, and appropriate commercially reasonable measures are taken in response to each event. Current status, as well as recent incidents, can be found at https://status.termly.io/.
Termly uses DDOS protection services to prevent downtime from malicious denial-of-service attacks.
Fault tolerance
Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Redundancy and seamless fail-over
The server instances and other services that support the products are architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Business Continuity
Termly maintains policies and procedures to ensure that Termly may continue to perform business-critical functions in the face of an extraordinary event. This includes data center resiliency and disaster recovery procedures for business-critical data and processing functions.
Development Best Practices
Git is used for version control of both private and public repositories. Any merge to the main branch requires approval from the engineering team. Changes to the code are tested using a suite of automated and manual tests. This includes both static code analysis and the running unit, functional, and integration test suites against artifacts. Vulnerability databases are regularly reviewed and assessed for new vulnerabilities to determine if they apply to our systems/vendors.
Compliance & Certification
Following the GDPR and CCPA, Termly undertakes to take all appropriate precautions to preserve the privacy and the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorized circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorized persons. In addition to regulatory compliance, in order to attest to Termly’s commitment to meeting the rigorous industry standards, we are currently undergoing the SOC2 audit process.