Security
We take security seriously at Taloflow. Below you'll find the various security policies and methodologies we employ considered to be industry best practices.
External Reviews
Section | Details |
Amazon Partner Network | Taloflow's applications have passed the rigorous security requirements to qualify as an Amazon Partner Network (APN) Advanced Technology Partner. This included a full architectural review of its platform by AWS Solution Architects. |
Physical Security
Section | Details |
Facilities | Taloflow's applications are hosted and managed within Amazon or Google's secure data centers where it uses Amazon Web Services (AWS) and Google Cloud Platform (GCP), respectively. Both Amazon and Google manage risk and undergo regular assessments to ensure compliance according to industry standards. Their data center operations have been accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). |
Location | The Amazon and Google data centers that Taloflow uses are located in the United States. |
Encryption
Section | Details |
Encryption in Transit | Communications between you and Taloflow servers are encrypted via industry best-practices (HTTPS). |
Encryption at Rest | Taloflow supports encryption of customer data at rest. |
Employee Vetting
Section | Details |
Background Checks | Taloflow performs background checks on all new employees in accordance with local laws. |
Confidentiality Agreements | All hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements in addition to an acknowledgement letter that lists out the risks and penalties associated with handling customer information. |
Security Culture
Section | Details |
Policies | Taloflow has a reference guide for security best practices that all employees and contractors understand and abide by. Everything from how to perform regular compliance reviews to how to best use a security key are covered. |
Training | All employees and contractors have undergone Security Training and receive regular security updates and tips. |
Audits | Taloflow does a full audit of the security practices of all employees and contractors on a monthly basis to ensure that its security policies are followed by all parties. |
Secure Development
Section | Details |
Authentication | Taloflow supports sign-in and Google Authentication. |
Secure Credential Storage | Taloflow follows secure credential storage best practices by never storing passwords in human readable format. |
API Security & Authentication | The Taloflow API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using an API token. |
Separate Environments | Taloflow operates on three different levels of security environments: Development, Staging and Production. Our Production environments have very limited access and hardened security measures in place. Development and Staging environments are separated from the Production environment, and no customer data is used in the Development or Staging environments. There is no commonality of passwords or other security apparatus between the levels of security; they each take place within their own sandbox, and are not allowed to interact directly. All code is fully checked before moving between stages. |
Virtual Private Clouds | Our cloud implementations use flexible VPC structures and appliances to provide best of breed security for our customers. We currently house one VPC with multiple subnets for each of the environments. Communication between the subnets is restricted by firewall and security rules. The subnets are not exposed to the Internet. All communication to the Internet comes through a Bastion service via reverse proxy. |
Cloud Access | All cloud access for our environments is by fully authenticated Identity and Access Management (IAM) key. |
Limit Plain Text | We send nothing in plain text. Incoming traffic is via HTTPS and messages are encrypted. |
Code Scanning | We installed ClamAV antivirus where appropriate and also scan source code before acceptance. RKHunter is used to scan files level rootkits. |
SSL Certificate | We use SSL for encryption of our sensitive data to protect from unauthorized access. We currently use a Comodo 2048-bit verified certificate. |
Credit Card Information | We use a third-party tokenization service for all credit card numbers. |
System Logs | All systems are designed to have centralized and read-only usage logs for looking back on security incidents. |
Cryptography | Any process involving cryptography goes through a peer-review process. |
Product Security Features
Section | Details |
Access & Roles | Taloflow has various permission levels for an organization (member and admin) and Taloflow users. |
Transmission Security | All communications with Taloflow servers are encrypted using industry standard HTTPS. This ensures that all traffic between you and Taloflow is secure during transit. |
Availability & Continuity
Section | Details |
Uptime | Taloflow has an uptime monitoring service available at status.taloflow.ai. We will update our customers on issues affecting uptime. You can contact our team to resolve any and all availability issues. |
Redundancy | Taloflow service clustering and network redundancies mean that there is no single point of failure in our system. |
Disaster Recovery | Our platform automatically restores customer applications and databases in the case of an outage. |
Last updated