Data Security Policy / Overview

Last Update 1st April 2022

1. Purpose. This Security Policy / Overview describes Topadial.io’s security program and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats shift and evolve, Topadial.io continues to update its security program and strategy to help protect Customer Data and the Services. As such, Topadial.io reserves the right to update this Security Overview from time to time.
2. Security Organization and Program. Topadial.io maintains a risk-based assessment security program. The framework for Topadial.io’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Topadial.io’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Topadial.io’s business operations. 
3. Confidentiality. Topadial.io has controls in place to maintain the confidentiality of Customer Data. All Topadial.io’s employees and contract personnel are bound by Topadial.io’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
4. People Security

5.1 Employee Training. Topadial.io’s employees /contractors must complete a security and privacy training which covers Topadial.io’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this training. 

The core principles of our training is: 

• Employees/contractors shall not share any information with any third party, verbally or electronically relating to Topadial.io work 
• Employees/contractors shall not use any third party application such as email, filesharing or servers hosted outside of AWS to store any data, without explicit consent from their direct line manager
• Employees/contractors shall not store any information which is not wholly necessary in the duties of their job description, and within 7 days destroy any information which is no longer necessary to store
• Employees shall not make hand written notes 
• Employees shall password protect their computer systems which they conduct any Topadial related work in relation to Topadial.io’s password policy. 

Architecture and Data Segregation

6.1 Topadial.io’s Services. The cloud communication platform for the Topadial.io’s Services is hosted by Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing the Topadial.io’s Services is located in the United States and United Kingdom. Additional information about security provided by AWS is available at https://aws.amazon.com/security and https://aws.amazon.com/whitepapers/overview-of-security-processes. Topadial.io’s production environment within AWS, where Customer Data and the Topadial.io’s Services are hosted, is a Lightsail Virtual Private Server.

6.2 Services. For the delivery of Services, all network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. The Topadial.io’s server architecture are designed and built to identify and allow access only to and from authorized customers. These controls prevent other customers from having access to Customer Data.

7. Physical Security. AWS data centers that host the Topadial.io’s Services and the are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Topadial.io’s headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.
8. Security by Design. Topadial.io follows security by design principles. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; (b) penetration tests performed on new Services by independent third parties;
9. Access Controls

9.1 Provisioning Access. To minimize the risk of data exposure, Topadial.io follows the principles of least privilege through a team-based-access-control model when provisioning system access. Topadial.io personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. 

9.2 Password Controls. Topadial.io current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication but not require special characters or frequent changes. 

10. Penetration Testing. Topadial.io has engaged independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
11. Discovery, Investigation, and Notification of a Security Incident. Topadial.io’s will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Topadial.io will notify Customer of a Security Incident in accordance with the Data Protection Act. Security Incident notifications will be provided to the Customer via email to the email address designated by Customer in its account.
12. Resilience and Service Continuity. The Services use a variety of tools and mechanisms to achieve high availability and resiliency. Topadial.io also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, Topadial.io aim to act promptly on these issues.
13. Backups and Recovery. Topadial.io performs regular backups of Customer Data, which is hosted on AWS’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).