At TeamRetro, we understand the paramount importance of data security and compliance for our valued customers. We are pleased to announce that we are SOC 2 Type I and Type 2 compliant. You can also get a copy of our SOC 3 report.
Specifically: TeamRetro is SOC 2 Type 2 accredited for Security, Confidentiality, and Privacy. An independent auditor has evaluated our policies, product, platform, and infrastructure in accordance with the Standard on Assurance Engagements (ASAE 3150) and verified that TeamRetro complies with their stringent requirements.
Achieving this standard with an unqualified opinion provides a third-party industry validation that TeamRetro provides enterprise-level security for customers’ data.
The independent audit was conducted by Assurance Lab following the SSAE 18, ISAE/ASAE 3402, and GS 007 standards. Their accredited reports were provided through their AICPA Partners, a leading association for accounting professionals.
An unqualified opinion on a SOC 2 Type 2 audit report demonstrates to TeamRetro’s current and future customers that TeamRetro manages customer data with adherence to the highest security and compliance standard. Information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
Our ongoing SOC 2 compliance is supported by Tugboat Logic (OneTrust), a leader in security and compliance attestation for B2B SaaS companies worldwide.
We also uphold the principles of the General Data Protection Regulation (GDPR), providing our customers the choice to host in either the US or the EU.
Here are some of the ways we keep your data secure and maintain your confidentiality and privacy.
Secure Personnel
- TeamRetro takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to TeamRetro resources.
- All TeamRetro contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
- Our policies, internal systems, and access are based on role and function and are designed to ensure we can continue supporting customer needs without compromising data privacy.
Secure Development
- All development projects at TeamRetro, including support services, follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a development box review approval to ensure security requirements are incorporated into the proposed development.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
- We maintain documented Systems Development Life Cycle policies and procedures, as well as backups, availability, and change control.
Secure Testing
- TeamRetro deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis.
- We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.
- Our applications are tested on staging environments using anonymized, aggregated, and non-identifying data before deployment and undergo a formal approval process.
- We employ a web application firewall and security management platform to enable continuous and ongoing application protection.
Cloud Security
- TeamRetro’s cloud ensures security with complete logical customer isolation in modern architecture. TeamRetro’s cloud leverages the native physical and network security features of the cloud service and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All data is also encrypted at rest and in transmission to prevent unauthorized access and data breaches.
- We implement role-based access controls and the principles of least privileged access and revoke access as needed.
The full TeamRetro Privacy Policy is published on the TeamRetro website at https://www.teamretro.com/privacy and addresses how personal information and intellectual property are collected, used, retained, disclosed, disposed of, and anonymized.
The Privacy Policy also provides details of the assigned Privacy Officer, assigned EU and UK Representative, and contact information. Further information and requests for a Data Processing Agreement can be found at https://www.teamretro.com/gdpr.
Enterprise clients interested in receiving a copy of our SOC 2 Type 2 or Type 3 report can do so at https://www.teamretro.com/security.
What is TeamRetro?
TeamRetro is an enterprise-ready online retrospective tool for remote teams. Our guided retrospectives and health checks ensure productive and effective meetings – every single time. We’re SOC 2 Type 2, GDPR compliant, and ready to help agile leaders and teams drive continuous improvement.