Twintag security policy: governance, platform security, professional services
Twintag recognises the importance of implementing appropriate technical and organisational security measures in order to prevent any unauthorised access, disclosure, alteration or destruction of customer data. For this purpose, we implement industry standard security controls and maintain a security awareness program.
Twintag is committed to transparency. Any security related incidents will be communicated to all customers. In case customer data may be affected, the concerned customers will be notified individually.
Twintag offers standard support to all its customers. For this purpose, Twintag is easily reachable via various public communication channels such as email or our community Slack. Our standard support operates on a best-effort basis. In practice, we’re able to provide near real-time assistance in most cases. Customers with additional or deviating service requirements are recommended to contact us to further discuss their needs.
Twintag invests in security improvements on a continuous basis. We work closely with expert partners in the cybersecurity field to both review our processes and pentest our solutions.
Twintag Platform Security
We assign individual user accounts to personnel who access Twintag systems. These assignments help us monitor and enforce accountability of user activity. Users are only granted access to business resources that they have been specifically authorised to use. The access rights of all users to information are granted as appropriate for conducting their duties and removed upon resignation or termination of employment, contract or agreement, or adjusted upon a change in role. Access to all core systems is protected by two factor authentication in addition to a strong password policy and logging is enabled for log-on activities on systems.
We provide training to our developers at least on a yearly basis to help identify and prevent common software vulnerabilities, including the OWASP Top 10.
We test technology changes at various stages of development. We use automated tooling including but not limited to unit-, API- and UI testing and static code quality checks on a continuous basis to help enforce a high quality standard. Developer code undergoes peer review prior to deployment into production.
Web-based customer applications are deployed under their own origin to comply with browser Same-origin policies. This can be a twintag sub-domain or a fully custom domain.
Cloud and infrastructure security
All cloud, infrastructure and application configuration is maintained under version control as part of our configuration-as-code methodology. In addition to serving as a change audit trail, any changes are subjected to peer review prior to deployment. Direct access to cloud management systems is only provided to a select number of core administrators.
All cloud foundational events including management activity, configuration changes and core health information is logged and safeguarded in a separate cloud account, with separate security and absolute minimal administrator access.
Twintag uses in-transit encryption to help secure data sent to and from its services. Data from each tenant is logically separated from others in our service so that we can enforce access and authorisation controls for all tenants as they access data inside our service.
From a GDPR standpoint, Twintag is considered a data processor. As such, we honour all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture and implementation.
Twintag is an EU based, global company. Twintag platform data is stored in the EU. To facilitate our global operations, we may transfer and access such information from around the world, including from other countries in which twintag has operations.
Twintag platform services are managed automatically using cluster orchestration. This allows the platform to scale dynamically based on demand. In case any services or their underlying hardware fails, new ones are automatically deployed in their place. This system is configured using desired state configuration that is managed under version control. This enables automatic healing and ensures insight into any changes made. Our services are deployed across multiple data center availability zones to protect against datacenter-level outages. The Twintag platform is distributed through a global content delivery network (CDN) to ensure fast page loads, worldwide.
All infrastructure and application configuration is maintained under version control, allowing for easy (re-)deployment of Twintag platform infrastructure and services. All application databases are backed up on a daily basis. Database backups are retained for 30 days. All file storage is versioned, old versions and deleted files are kept in storage for 30 days. Restore procedures are tested on at least a yearly basis.
We monitor multiple internal and external reporting channels to detect service-related issues. Twintag staff is alerted via multiple channels of any production anomalies.
Remote access & teleworking
As a global company, teleworking is in our nature and we take the necessary steps to make sure it is done securely. Twintag’s core infrastructure can only be accessed using a secured VPN connection with individual user accounts.
Twintag Professional Services
Twintag Professional Services provides consulting and custom development to help tailor the Twintag platform to our customer’s individual needs.
By default these services are offered on a time and material basis. To help inform project decision making, Twintag Professional Services can provide estimates. Estimates may include a bug budget to fix unforeseen issues and a stability buffer to help cover progressive insight into application requirements, based on project size and complexity. Estimates are not to be seen as a commitment to deliver work within a fixed budget or timeframe.
Software, documentation and other deliverables resulting from Twintag’s Professional Services offering are considered property of our customer. Any templates, libraries or components that may be used but were built before the engagement are considered property of Twintag. By default, these deliverables are considered to be accepted after the hyper-care period of 2 weeks. Any evolution or maintenance thereafter is the responsibility of our customer.
Customers with additional or deviating requirements are recommended to contact us to further discuss their needs.