TeamSupport Security
At TeamSupport, we work very hard to ensure your data is safe, and the people we hire and contract with must also ensure their activities are safe, with continual consideration to data integrity and security. TeamSupport maintains policies and standards designed to deliver secure software solutions and protect the privacy of our clients information. Additionally, these policies and standards are reviewed annually, or as needed to maintain healthy services to our customers.
Information Security
Product Security
Product security is critical at TeamSupport, we utilize a software development lifecycle in line with Agile principles. When security is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and remediated more rapidly than in longer release cycles. Software patches are released as part of our continuous integration process. Patches that might impact customers will be applied as soon as possible but may necessitate notifications and scheduling maintenance windows.
TeamSupport performs continuous integration. In this way we are able to respond rapidly to both functionality and security issues. Change management policies and procedures determine when and how changes occur. This philosophy is central to security and development methodologies that have driven TeamSupport adoption. In this way, TeamSupport is able to achieve short mean time to resolution of issues. TeamSupport is continuously maturing our DevOps practices.
Physical Security
The TeamSupport infrastructure is hosted by Cloud Service Provider (CSP). Physical and environmental security related controls for TeamSupport are managed by these CSP’s. “All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.”
Corporate Security
TeamSupport leverages internal services that require Transport Level Security (TLS) for network access and individually authenticate users by way of an identity provider and leveraging two factor authentication wherever possible.
All TeamSupport personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. Employees are encouraged to participate in helping secure data and assets.
Data Security
Authentication and Access Management
Users may log in to TeamSupport using an Identity Provider or leveraging TeamSupport’s support for Security Assertion Markup Language (SAML). These services will authenticate an individual’s identity.
All requests to the TeamSupport API must be authenticated. Requests that write data require at least reporting access as well as an API key. Requests that read data require full user access as well as an application key. These keys act as bearer tokens allowing access to TeamSupport service functionality.
Protection of Customer Data
Data sent to TeamSupport Products by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the TeamSupport production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between TeamSupport and TeamSupport users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the TeamSupport application is inaccessible.
TeamSupport utilizes encryption to protect Customer Data and TeamSupport secrets, including encryption at rest (AES-256), asymmetric encryption (e.g. PGP) for system backups, KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.), and GPG encryption.
Access to Customer Data is limited to functions with a business requirement to do so. TeamSupport has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). TeamSupport enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. TeamSupport has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms and enforces full-disk encryption and unique credentials for workstations.
TeamSupport monitors critical infrastructure for security related events. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of rules designed to detect malicious, unapproved behavior or Indicators of Attack. The results of these rules alert different teams including our security team.
Compliance
Certifications, Attestations and Frameworks
TeamSupport maintains an active SOC 2 Type II report.
We are able to review and sign Business Associate Agreements (BAAs) with our Enterprise customers. If you require a BAA in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), please email sales@teamsupport.com and include the name of the organization or individual to whom the BAA should be addressed.
Laws and Regulations
TeamSupport’s solutions are compliant with various laws and regulations applicable to our services.
GDPR
TeamSupport is compliant with the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. TeamSupport has worked to enhance its products and procedures to meet its obligations as a data processor.
CCPA
TeamSupport does not intend to transfer, process, use, or store personal information. TeamSupport can provide our CCPA Addendum enabling customers to fulfill their obligations under the CCPA when personal data is in scope.
Vendor Management
TeamSupport leverages some third-party applications and services in support of the delivery of our products to our customers. TeamSupport recognizes that the company’s assets and vendor dependencies are critical. As such, TeamSupport has established a vendor management program that establishes requirements when TeamSupport engages third parties and/or external vendors.
1