Topfloor Systems Security Policy
Effective day 12th November 2020
Security is a top priority for us in Topfloor Systems because it is fundamental to your confidence and experience in using our Service. This Security Policy describes the organisational and technical measures that Topfloor Systems implements across all our Servicces, to prevent unauthorised access, use, alteration or disclosure of customer data.
If you would like to report a vulnerability or have any security concerns with our Service, please contact firstname.lastname@example.org.
We take all reports very seriously. Once a report is receivied, our team will rapidly verify each vulnerability before taking the necessary steps to fix it.
Incident Response Plan
We have implemented procedures for handling security events and educated our employees on our policies. When a security event is detected:
- The event is escalated as a highest priority for our team to investigate and rapidly implement a fix.
- After the security event is fixed we write up a post-mortem analysis and the report is distributed internally that will make the detection and prevention of a similar event easier in the future.
- If an event will affect your data in any way, we will promptly notify you in writing upon verification of a security breach. The notification will describe the breach and the status of our investigation.
- All our services operate in the cloud on Amazon Web Services (“AWS”).
- For customers based in Ireland all our services and data are hosted in the AWS facilities in the EU-West-1 region (Dublin).
- For customers based in UK all our services and data are hosted in the AWS facilities in the EU-West-2 region (London).
- All our services on AWS are protected by AWS security as described at https://aws.amazon.com/compliance/shared-responsibility-model.
- All of our AWS infrastructure is designed to be have redundancy spread across multiple data centres (availablity zones) in the relative region. This should allow our services to continue running should any one of those data centers fail unexpectantly.
- AWS does not disclose the precise geographical location of any its data centers. As such, we build on the physical security and environmental controls provided by AWS. See https://aws.amazon.com/security for details of AWS security infrastructure.
- All of our servers are within our own virtual private cloud. This is designed to prevent unauthorised requests getting to our internal network.
- We keep encrypted backups in multiple locations on AWS of any datastores that contains customer data.
- All data sent to and from Topfloor Systems services is encrypted and authenticated in transit via TLS 1.2 protocol and AES-256-bit encryption.
- Topfloor Systems Website's latest SSL Labs Report can be found here.
- Letman App's latest SSL Labs Report can be found here.
- Letman Website's latest SSL Labs Report can be found here.
- MyLetman's latest SSL Labs Report can be found here.
- Blockman IE App's latest SSL Labs Report can be found here.
- Blockman IE Website's latest SSL Labs Report can be found here.
- MyBlockman IE's latest SSL Labs Report can be found here.
- Blockman UK App's latest SSL Labs Report can be found here.
- Blockman UK Website's latest SSL Labs Report can be found here.
- MyBlockman UK's latest SSL Labs Report can be found here.
- We make use of permission levels for any employees with access to customer data. All access is authenticated, logged and audited.
- We run a zero-trust corporate network. No unauthenticated access to resources or internal networks is granted from being on the network.
- We have 2-factor authentication enabled on all our infrastructure accounts to ensure access to our cloud services are protected.
Topfloor Systems Employees
- Confidentiality: All employee contracts include a confidentiality agreement.
- All employees receive onboarding and systems training about our security systems and policies.
- Each update to the software is reviewed by at least two software engineers to ensure quality.
- All software engineers are sent to relevant training seminars at least once a year to ensure familiarity with modern and new approaches to security and reliability.
In relation to data security, the customer is responsible for:
- Managing their own user accounts and access levels for those user accounts.
- Protecting their own login credentials and ensure their employees use a strong password policy.
- Compliance with our terms of service.
- Compliance with all local laws.
- Promptly notifying Topfloor Systems of any possible suspicious activities that could negatively impact the security of the Service or their account.