Yes, we are.

Specifically: we are now officially SOC2 Type I compliant.

We are in accordance with the American Institute of Certified Public Accountants (AICPA) standards for Service Organization Control (SOC) for Service Organizations (also known as SSAE 18). Achieving this standard with an unqualified opinion serves as third-party industry validation that TeamRetro provides enterprise-level security for customers’ data.

We were independently audited by Assurance Lab following the SSAE 18, ISAE/ASAE 3402, and GS 007 standards and providing accredited reports through their AICPA Partners. We are pleased to have received an unqualified report.

An unqualified opinion on a SOC 2 Type I audit report demonstrates to TeamRetro’s current and future customers that TeamRetro manages customer data with the highest standard of security and compliance. Information security practices, policies, procedures, and operations meet the SOC 2 standards for security.

Our ongoing SOC2 compliance is being supported by Tugboat Logic (OneTrust), a leader in security and compliance attestation for B2B SaaS companies worldwide.

Here are just some of the ways we keep your data secure and maintain your confidentiality and privacy.

Secure Personnel

TeamRetro takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel is given access to TeamRetro resources.

  • All TeamRetro contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
  • Our policies, internal systems, and access are based on role and function and designed to ensure that we can continue to support customer needs without compromising on data privacy.

Secure Development

  • All development projects at TeamRetro, including support services, follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a development box review approval to ensure security requirements are incorporated into the proposed development.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.
  • We maintain documented Systems Development Life Cycle policies and procedures, as well as backups, availability, and change control.

Secure Testing

TeamRetro deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis.

  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
  • Our applications are tested on staging environments using anonymized, aggregated, and non-identifying data before deployment and undergo a formal approval process.
  • We employ a web application firewall and web application security management platform to enable continuous and ongoing protection of the application.

Cloud Security

TeamRetro’s cloud ensures security with complete logical customer isolation in a modern cloud architecture. TeamRetro’s cloud leverages the native physical and network security features of the cloud service and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches.
  • We implement role-based access controls and the principles of least privileged access and revoke access as needed.

The full TeamRetro Privacy Policy is published on the TeamRetro website at https://www.teamretro.com/privacy and addresses how any personal information and intellectual property is collected, used, retained, disclosed, disposed, and anonymized. The Privacy Policy also provides details of the assigned Privacy Officer, assigned EU Representative, and contact information including the primary privacy@teamretro.com email.

If you are an enterprise client interested in receiving a copy of our report, please contact security@teamretro.com (requires signing an NDA).

What is TeamRetro?

TeamRetro is an enterprise-ready online retrospective tool for remote teams. Our guided retrospective and health check techniques ensure your retros are worthwhile – each and every time. TeamRetro is a secure, GDPR compliant, and enterprise-ready tool for Agile Coaches and Teams to run engaging, effective, and fun retrospectives and team health checks. With multiple templates you can customize, or create your own to share, along with live-action plans and useful facilitation controls, TeamRetro lets your team focus on continuous improvement.