Trovata is committed to protecting your information assets to exceed the standard security requirements of our clients.
The information security policy expresses Trovata’s intentions and commitment toward a secure and trusted partnership. This statement complements Trovata’s Security Policy and provides a summary of Trovata’s internal security policies and procedures which constitute the security baseline that governs Trovata Platform and supporting applications. This statement aims to provide assurance to interested parties regarding the security of our SaaS application, as well as the data contained within them.
DATA AND INFORMATION
At Rest: Your data only resides in the production environment encrypted with AES-256.
In Transit: Your data is transferred between user devices and servers using up to 256-bit encrypted connection via TLS 1.2 and a world-class certificate provider. The cryptographic keys used to secure Trovata are protected by Amazon’s Key Management Services.
Our backup processes ensure data and information consistency with highest standards.
Passwords are hashed (and salted) securely with a SHA512 encryption.
Your data will never leave the US.
We currently support SSO with multiple identity providers via SAML 2.0.
Account Verification for Non-SSO Users
Users are required to validate their accounts via a link provided in an automated e-mail.
Our cloud provider is AWS. We leverage their tools to setup firewall rules, intrusion and DMZ policies.
We have an automated process that patches our virtual machines on a daily basis.
We scan our infrastructure and applications periodically to detect any existing vulnerability. We have monitoring with AWS Cloudshield and also Web Application Firewall with AWS WAF.
We log every action performed in the system.
Every component of our infrastructure has redundancy. We leverage AWS Availability Zones and have global redundancy in AWS.
Disaster Recovery and Business Continuity
We have tested procedures in place to guarantee our uptime and our system’s availability.
Continuous Security Program
Including periodic independent 3rd party penetration tests.
Security and confidentiality incidents submitted to firstname.lastname@example.org or our in-app support chat will be resolved in accordance with established incident policy.
Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications.
Move Fast, Break Nothing
We have a formal software development lifecycle methodology and change management procedures.
Monthly risk assessments are performed to ensure the application is secure.
All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.
We keep our list of sub-processors up to date. You can review our current sub-processors here.
Employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.
Trovata uses NordVPN Gateway to ensure employees that require privileged access have a secure access to the system.
We enforce it for every employee.
Employee Asset Control
Our employees’ devices are monitored in real-time, with antivirus, disk encryption, automatic device blocking, and security patches.
We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.