Termly’s Security FAQ

Termly is committed to meeting our customers’ data protection and data security needs. This page delivers a summary of our practices and policies, which help us keep your personal information safe and secure. We work hard to ensure our systems and infrastructure are protected against unauthorized or accidental access, loss, alteration, disclosure, or destruction.

Table of Contents
  1. Access Control
  2. Transmission Control
  3. Input Control
  4. Availability Control
  5. Development Best Practices
  6. Compliance & Certification

Access Control

Preventing Unauthorized Product Access

Authentication

A uniform password policy has been implemented for our customer products:

  1. Minimum length of 8 symbols
  2. Password must contain at least one uppercase letter, one lowercase letter, and one digit

We also provide SSO authentication options using Google so users can enable multi-factor authentication using those methods.

Customers who interact with Termly Services via the user interface must authenticate before they can access non-public customer data.

Authorization

We store customer data in secure storage systems. Users can’t directly access the underlying application infrastructure. Access to sensitive data is role-based (on a “need to know” basis), only for specific purposes.

Separation of environments

We separate development, testing, and operational environments to minimize the risks of unauthorized access or changes to the operational environment.

Employee access

A limited number of our trained employees have access to customer data via controlled interfaces. The purpose of enabling employee access is to provide efficient customer support, detect and respond to security incidents, troubleshoot potential problems, and facilitate data security.

Employees are granted access by role, and all such access requests are logged. Only a few designated employees have access to the infrastructure. Termly employees do not have physical access to customers’ databases. All employees receive privacy and security training during their onboarding process and as a requirement for continued employment.

Access to critical and sensitive data is role-based (on a “need to know” basis), only for purposes of performing services’ functions, and is revoked immediately for terminated employees.

Preventing Unauthorized Infrastructure Access

Physical and environmental security

Our product infrastructure is hosted with multi-tenant, outsourced infrastructure providers. Their physical and environmental security controls are audited for a broad set of standards and compliance regulations.

See https://aws.amazon.com/compliance/ for more information.

Third-party processing

In order for us to provide our customers with the Service in accordance with our DPA, we maintain contractual relationships with vendors. This includes contractual agreements, privacy policies, and vendor compliance programs. Vendors are vetted for privacy and security compliance during the vendor assessment process.

Network security

Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The implemented technical measures differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. We have implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Transmission Control

Data is encrypted while in transfer

We use tested and proven secure encryption protocols and disable obsolete and vulnerable ones. All access to the product requires secure connections.

Password data encryption

Password data is stored as a salted one-way hash using modern algorithms.

Input Control

Detection

We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our staff, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking

We maintain a record of known security incidents that includes descriptions, dates, and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. We will notify our customers in accordance with the Terms of Service.

Availability Control

Infrastructure availability

Termly is hosted on a logically separated and distributed AWS cloud infrastructure. We do experience downtime events when AWS infrastructure does, but those are infrequent and usually limited to a handful of specific services.

All system and infrastructure downtime events are logged and researched by the infrastructure and software teams, and appropriate commercially reasonable measures are taken in response to each event. Current status, as well as recent incidents, can be found at https://status.termly.io/.

Termly uses DDOS protection services to prevent downtime from malicious denial-of-service attacks.

Fault tolerance

Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Redundancy and seamless fail-over

The server instances and other services that support the products are architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

Business Continuity

Termly maintains policies and procedures to ensure that Termly may continue to perform business-critical functions in the face of an extraordinary event. This includes data center resiliency and disaster recovery procedures for business-critical data and processing functions.

Development Best Practices

Git is used for version control of both private and public repositories. Any merge to the main branch requires approval from the engineering team. Changes to the code are tested using a suite of automated and manual tests. This includes both static code analysis and the running unit, functional, and integration test suites against artifacts. Vulnerability databases are regularly reviewed and assessed for new vulnerabilities to determine if they apply to our systems/vendors.

Compliance & Certification

Following the GDPR and CCPA, Termly undertakes to take all appropriate precautions to preserve the privacy and the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorized circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorized persons. In addition to regulatory compliance, in order to attest to Termly’s commitment to meeting the rigorous industry standards, we are currently preparing for the SOC2 audit process.