SOC 2 Type II
Prioritising privacy and security has always been our focus. We are pleased to announce that TeamForm has officially been audited and certified as complying with the industry standard for security.
Achieving this milestone ensures that your security team is well aware of our commitment to these principles. Securing your TeamForm data is fundamental to our business, woven into the fabric of TeamForm through technical controls implemented across the software lifecycle. It is also ingrained in our organisational processes and the people who support you.
Our certifications and endorsements in information security not only showcase our adherence to stringent international standards but also attest to our unwavering commitment to information security, a cornerstone of our organisation. From the moment employees join TeamForm, they undergo training in information security and data protection, instilling best practices throughout the organisation, across all roles and functions.
What is SOC 2?
SOC 2 stands for Service Organisation Control 2. It is a set of standard rules and guidelines for companies to be secure.
There are two types of SOC 2 audits:
SOC 2 Type I: This report tells you the company has the right security controls in place. It doesn’t tell you if the company is actively adhering to these controls.
SOC 2 Type II: This report tells you the company has the right security controls in place and they are actually following them. This is verified by an independent auditor. TeamForm is SOC2 Type II certified.
Security and privacy have always been a top priority for us at TeamForm and this ensures we continue to provide safety and security for your data.
Want a copy of the report? Head on over to TeamForm Trust Center and register for a copy.
TeamForm is committed to protecting your data from unauthorized access. We have a policy of respect for the custodianship of your data, where all customer data is considered highly sensitive, and to remain exclusively inside your account's tenancy while in our care.
As such we apply the principles of defense-in-depth and take multiple measures to protect customer data from unauthorized access. Where access is required within the application, this access is granted using the principle of least privilege. Only suitably authorized and trained TeamForm employees have direct access to production systems and user data.
Our production environment is hosted on secure cloud computing platform. This platform takes measures to protect their equipment and services from unauthorized physical and logical access. These practices and the ongoing monitoring thereof are regularly audited by a third party.
In the case where employee access is required, our engineers use strong passwords and a TOPT based multi-factor authentication (MFA) system to access production systems. Where terminal connections are required, we further mandate the use of per-engineer RSA certificates. All access and access attempts are logged.
Staff workstations conform to our security processes, which mandate full disk encryption, use of a firewall, automatic operating system patch management, and anti-malware/anti-virus software.
All staff have undergone background checks.
Encryption in Transit and at Rest
Data in transit is encrypted using industry standard Transport Layer Security (“TLS”), with a minimum of 128-bit Advanced Encryption Standard (“AES”) cypher. This applies to data in transit between the application and users, and between the applications' internal components.
Each customer's tenancy is provisioned with a dedicated and isolated data store. The data at rest in these data stores is encrypted with a Customer Master Key (CMK) that is also unique to each customer's tenancy. The CMKs are generated from a system that use FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of the keys. These HSMs have been validated and certified by multiple compliance schemes including ISO 27001, ISO 27017, and Service Organisation Controls (SOC 1, SOC 2 and SOC 3). The keys are then rotated regularly with an identity management service which also controls access to the keys.
TeamForm uses a content delivery network (CDN) to serve content and mitigate Distributed Denial of Service (DDoS) attacks. The CDN is integrated with a managed DDoS protection service that provides always-on detection and automatic inline threat mitigation to safeguard web applications.
TeamForm uses a cloud managed Domain Name Service (DNS), which is scalable, highly available, and integrated with the DDoS protection service.
There are multiple further layers of controls protecting network access to application components. TeamForm establishes private network segments on our cloud computing platform. Within these private network segments, internally hosted DNS zones and network load balancing techniques are used to minimize the attack surface and safeguard exposed resources. We use a form of virtual firewall with least privilege rule, to control inbound and outbound traffic to our resources. Network access control lists (ACL) limit which network traffic is allowed to route in and out of our private network segments.
For any questions, please contact us.