Security
We take security seriously at Taloflow. Below you'll find the various security policies and methodologies we employ considered to be industry best practices.
External Reviews
Section
Details
Amazon Partner Network
Taloflow's applications have passed the rigorous security requirements to qualify as an Amazon Partner Network (APN) Advanced Technology Partner. This included a full architectural review of its platform by AWS Solution Architects.
Physical Security
Section
Details
Facilities
Taloflow's applications are hosted and managed within Amazon or Google's secure data centers where it uses Amazon Web Services (AWS) and Google Cloud Platform (GCP), respectively. Both Amazon and Google manage risk and undergo regular assessments to ensure compliance according to industry standards. Their data center operations have been accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
Location
The Amazon and Google data centers that Taloflow uses are located in the United States.
Encryption
Section
Details
Encryption in Transit
Communications between you and Taloflow servers are encrypted via industry best-practices (HTTPS).
Encryption at Rest
Taloflow supports encryption of customer data at rest.
Employee Vetting
Section
Details
Background Checks
Taloflow performs background checks on all new employees in accordance with local laws.
Confidentiality Agreements
All hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements in addition to an acknowledgement letter that lists out the risks and penalties associated with handling customer information.
Security Culture
Section
Details
Policies
Taloflow has a reference guide for security best practices that all employees and contractors understand and abide by. Everything from how to perform regular compliance reviews to how to best use a security key are covered.
Training
All employees and contractors have undergone Security Training and receive regular security updates and tips.
Audits
Taloflow does a full audit of the security practices of all employees and contractors on a monthly basis to ensure that its security policies are followed by all parties.
Secure Development
Section
Details
Authentication
Taloflow supports sign-in and Google Authentication.
Secure Credential Storage
Taloflow follows secure credential storage best practices by never storing passwords in human readable format.
API Security & Authentication
The Taloflow API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using an API token.
Separate Environments
Taloflow operates on three different levels of security environments: Development, Staging and Production.
Our Production environments have very limited access and hardened security measures in place. Development and Staging environments are separated from the Production environment, and no customer data is used in the Development or Staging environments.
There is no commonality of passwords or other security apparatus between the levels of security; they each take place within their own sandbox, and are not allowed to interact directly. All code is fully checked before moving between stages.
Virtual Private Clouds
Our cloud implementations use flexible VPC structures and appliances to provide best of breed security for our customers. We currently house one VPC with multiple subnets for each of the environments. Communication between the subnets is restricted by firewall and security rules. The subnets are not exposed to the Internet. All communication to the Internet comes through a Bastion service via reverse proxy.
Cloud Access
All cloud access for our environments is by fully authenticated Identity and Access Management (IAM) key.
Limit Plain Text
We send nothing in plain text. Incoming traffic is via HTTPS and messages are encrypted.
Code Scanning
We installed ClamAV antivirus where appropriate and also scan source code before acceptance. RKHunter is used to scan files level rootkits.
SSL Certificate
We use SSL for encryption of our sensitive data to protect from unauthorized access. We currently use a Comodo 2048-bit verified certificate.
Credit Card Information
We use a third-party tokenization service for all credit card numbers.
System Logs
All systems are designed to have centralized and read-only usage logs for looking back on security incidents.
Cryptography
Any process involving cryptography goes through a peer-review process.
Product Security Features
Section
Details
Access & Roles
Taloflow has various permission levels for an organization (member and admin) and Taloflow users.
Transmission Security
All communications with Taloflow servers are encrypted using industry standard HTTPS. This ensures that all traffic between you and Taloflow is secure during transit.
Availability & Continuity
Section
Details
Uptime
Taloflow has an uptime monitoring service available at status.taloflow.ai. We will update our customers on issues affecting uptime. You can contact our team to resolve any and all availability issues.
Redundancy
Taloflow service clustering and network redundancies mean that there is no single point of failure in our system.
Disaster Recovery
Our platform automatically restores customer applications and databases in the case of an outage.
Last updated