We take security seriously at Taloflow. Below you'll find the various security policies and methodologies we employ considered to be industry best practices.
Amazon Partner Network: Advanced Technology Partner
Taloflow's applications have passed the rigorous security requirements to qualify as an Amazon Partner Network (APN) Advanced Technology Partner. This included a full architectural review of its platform by AWS Solution Architects.
Taloflow's applications are hosted and managed within Amazon or Google's secure data centers where it uses Amazon Web Services (AWS) and Google Cloud Platform (GCP), respectively. Both Amazon and Google manage risk and undergo regular assessments to ensure compliance according to industry standards. Their data center operations have been accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
The Amazon and Google data centers that Taloflow uses are located in the United States.
Encryption in Transit
Communications between you and Taloflow servers are encrypted via industry best-practices (HTTPS).
Encryption at Rest
Taloflow supports encryption of customer data at rest.
Taloflow performs background checks on all new employees in accordance with local laws.
All hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements in addition to an acknowledgement letter that lists out the risks and penalties associated with handling customer information.
Taloflow has a reference guide for security best practices that all employees and contractors understand and abide by. Everything from how to perform regular compliance reviews to how to best use a security key are covered.
All employees and contractors have undergone Security Training and receive regular security updates and tips.
Taloflow does a full audit of the security practices of all employees and contractors on a monthly basis to ensure that its security policies are followed by all parties.
Taloflow supports sign-in and Google Authentication.
Secure Credential Storage
Taloflow follows secure credential storage best practices by never storing passwords in human readable format.
API Security & Authentication
The Taloflow API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using an API token.
Taloflow operates on three different levels of security environments: Development, Staging and Production.
Our Production environments have very limited access and hardened security measures in place. Development and Staging environments are separated from the Production environment, and no customer data is used in the Development or Staging environments.
There is no commonality of passwords or other security apparatus between the levels of security; they each take place within their own sandbox, and are not allowed to interact directly. All code is fully checked before moving between stages.
Virtual Private Clouds
Our cloud implementations use flexible VPC structures and appliances to provide best of breed security for our customers. We currently house one VPC with multiple subnets for each of the environments. Communication between the subnets is restricted by firewall and security rules. The subnets are not exposed to the Internet. All communication to the Internet comes through a Bastion service via reverse proxy.
All cloud access for our environments is by fully authenticated Identity and Access Management (IAM) key.
Limit Plain Text
We send nothing in plain text. Incoming traffic is via HTTPS and messages are encrypted.
We installed ClamAV antivirus where appropriate and also scan source code before acceptance. RKHunter is used to scan files level rootkits.
We use SSL for encryption of our sensitive data to protect from unauthorized access. We currently use a Comodo 2048-bit verified certificate.
Credit Card Information
We use a third-party tokenization service for all credit card numbers.
All systems are designed to have centralized and read-only usage logs for looking back on security incidents.
Any process involving cryptography goes through a peer-review process.
Access & Roles
Taloflow has various permission levels for an organization (member and admin) and Taloflow users.
All communications with Taloflow servers are encrypted using industry standard HTTPS. This ensures that all traffic between you and Taloflow is secure during transit.
The Taloflow Infrastructure Monitor is currently in Beta, and therefore we have no history to derive availability reports. However, Beta Program participants have 24/7 access to our team to resolve any and all availability issues.
Taloflow service clustering and network redundancies mean that there is no single point of failure in our system.
Our platform automatically restores customer applications and databases in the case of an outage.