Tim

Welcome to Tim's documentation

Tim, the Taloflow Instance Manager, is an AI that helps you reduce your AWS costs.

Get Started    

Security

Taloflow's security policy and methodologies are outlined in the sections below.

We take security seriously at Taloflow. Below you'll find the various security policies and methodologies we employ considered to be industry best practices.

Outside Reviews

Section
Details

Amazon Partner Network: Advanced Technology Partner

Taloflow's applications have passed the rigorous security requirements to qualify as an Amazon Partner Network (APN) Advanced Technology Partner. This included a full architectural review of its platform by AWS Solution Architects.

Physical Security

Section
Details

Facilities

Taloflow's applications are hosted and managed within Amazon or Google's secure data centers where it uses Amazon Web Services (AWS) and Google Cloud Platform (GCP), respectively. Both Amazon and Google manage risk and undergo regular assessments to ensure compliance according to industry standards. Their data center operations have been accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).

Location

The Amazon and Google data centers that Taloflow uses are located in the United States.

Encryption

Section
Details

Encryption in Transit

Communications between you and Taloflow servers are encrypted via industry best-practices (HTTPS).

Encryption at Rest

Taloflow supports encryption of customer data at rest.

Employee Vetting

Section
Details

Background Checks

Taloflow performs background checks on all new employees in accordance with local laws.

Confidentiality Agreements

All hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements in addition to an acknowledgement letter that lists out the risks and penalties associated with handling customer information.

Security Culture

Section
Details

Policies

Taloflow has a reference guide for security best practices that all employees and contractors understand and abide by. Everything from how to perform regular compliance reviews to how to best use a security key are covered.

Training

All employees and contractors have undergone Security Training and receive regular security updates and tips.

Audits

Taloflow does a full audit of the security practices of all employees and contractors on a monthly basis to ensure that its security policies are followed by all parties.

Secure Development

Section
Details

Authentication

Taloflow supports sign-in and Google Authentication.

Secure Credential Storage

Taloflow follows secure credential storage best practices by never storing passwords in human readable format.

API Security & Authentication

The Taloflow API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using an API token.

Separate Environments

Taloflow operates on three different levels of security environments: Development, Staging and Production.

Our Production environments have very limited access and hardened security measures in place. Development and Staging environments are separated from the Production environment, and no customer data is used in the Development or Staging environments.

There is no commonality of passwords or other security apparatus between the levels of security; they each take place within their own sandbox, and are not allowed to interact directly. All code is fully checked before moving between stages.

Virtual Private Clouds

Our cloud implementations use flexible VPC structures and appliances to provide best of breed security for our customers. We currently house one VPC with multiple subnets for each of the environments. Communication between the subnets is restricted by firewall and security rules. The subnets are not exposed to the Internet. All communication to the Internet comes through a Bastion service via reverse proxy.

Cloud Access

All cloud access for our environments is by fully authenticated Identity and Access Management (IAM) key.

Limit Plain Text

We send nothing in plain text. Incoming traffic is via HTTPS and messages are encrypted.

Code Scanning

We installed ClamAV antivirus where appropriate and also scan source code before acceptance. RKHunter is used to scan files level rootkits.

SSL Certificate

We use SSL for encryption of our sensitive data to protect from unauthorized access. We currently use a Comodo 2048-bit verified certificate.

Credit Card Information

We use a third-party tokenization service for all credit card numbers.

System Logs

All systems are designed to have centralized and read-only usage logs for looking back on security incidents.

Cryptography

Any process involving cryptography goes through a peer-review process.

Product Security Features

Section
Details

Access & Roles

Taloflow has various permission levels for an organization (member and admin) and Taloflow users.

Transmission Security

All communications with Taloflow servers are encrypted using industry standard HTTPS. This ensures that all traffic between you and Taloflow is secure during transit.

Availability & Continuity

Section
Details

Uptime

Taloflow's Instance Manager is currently in Beta, and therefore we have no history to derive availability reports. However, Beta Program participants have 24/7 access to our team to resolve any and all availability issues.

Redundancy

Taloflow service clustering and network redundancies mean that there is no single point of failure in our system.

Disaster Recovery

Our platform automatically restores customer applications and databases in the case of an outage.