May 25, 2018

TeamTools Security Practices

Effective: May 25, 2018

TeamTools is unique in being architected to use direct access to your organization’s directory, avoiding the need to separately store your data and ensuring maximum security and compliance. Helping to protect the confidentiality, integrity, and availability of our customers’ data is of the utmost importance to TeamTools, as is maintaining customer trust and confidence. This document is intended to outline the security features we have put in place to protect customer data.

TeamTools Security Features:

  • SSL restricted traffic for all client-server communication.
  • Google single sign-on.
  • No separate database of customer data.
  • Servers and cache using Google Cloud.
  • Access controls to limit the data that users can view or edit.
  • Audit log, including an offsite replica of the log.
  • Routine software patching, including 24-hour patching for major security threats.

Security FAQ

Where do we host our services?

TeamTools hosts its software-as-a-service on the Google Cloud Platform. This means that your data stays within the Google platform at all times, a platform which is known for its unparalleled security, scalability and availability. The Google Cloud Platform maintains compliance cerifications including SOC 2 Type 2, HIPAA, and PCI; see https://cloud.google.com/security/compliance/ for details.

What physical security controls in place to protect the environment processing or storing customer data?

Google data centers feature a layered security model with custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.

Google data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Only approved employees with specific roles may enter.

For additional information see: https://cloud.google.com/security/infrastructure/

What change control and security code review procedures are in place?

Changes to the TeamTools application go through the following process:

  1. Automated test suite is run on changes before being merged into the code base.
  2. Change is merged and deployed to a staging environment.
  3. Final testing is done in the staging environment.
  4. Change is then available to be merged to the production environment

Where is customer data is retained? Is the data stored on laptops, mobile devices or removable media?

Data is retained only within the Google Cloud Platform. In order to improve and support the TeamTools application, limited data is also stored with our analytics and customer support third party providers. Data is not retained on any laptops, mobile devices, or removable media.

What encryption mechanisms are in place both for data in transit and data at rest?

Data in transit is encrypted using TLS or SSL using a SHA-2 SSL certificate. Data is encrypted at rest using AES-256 or AES-128.

How long will customer data be retained? What options exist to destroy customer data at the end of the engagement?

When a customer deletes data or terminates service with TeamTools, data is marked as deleted and kept in the production cache for recovery purposes for up to 30 days. Data can be purged from the production system sooner upon request.

Are the production environments physically and logically separated from development and test environments? Will customer data be in use in the development or test environment?

The production environment is completely separate from development and test environments. Customer data is not in use in the development or test environments.

How often are the security policies and procedures reviewed?

Security policies and procedures are reviewed bi-annually.