SSL Security

Security

Our customers trust us to keep their data secure and confidential. We take security seriously and work constantly to ensure that trust is well-founded. Have questions? Feel free to reach out to us at security@teamretro.com

Secure Platform

Secure platform

Our services are hosted on the Salesforce Heroku platform. We opted for Heroku for a variety of reasons, including their industry-leading security and reliability. They maintain accreditations under ISO 27001, ISO 27018, PCI DSS Level 1 and publishes SOC1 Type 2 and SOC2 Type 2 reports. Heroku provides advanced network and operational security protections that are periodically reviewed as part of our vendor management processes. Learn more.

Secure infrastructure

Our services are hosted on Amazon Web Services (AWS) infrastructure. We don’t host or run our own routers, load balancers, DNS servers or physical servers. Amazon data-centers feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. AWS facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about AWS security.

USA or EU hosted – your choice

By default our customers are served from data-centers and data sub-processesors in the United States of America, with our primary services hosted in Northern Virginia. Enterprise customers are offered the option of an  EU-hosted environment with our primary services and data-subprocessors located exclusively in EU member-state countries.

Always encrypted

Encryption in transit – All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).  Our servers have bee graded A+ by SSLLabs.

Encryption at rest – All our user data is encrypted using the battle-proofed AES256 encryption algorithm in our databases.

Secure payments

We aren’t in the business of handling or storing credit card numbers – your card details are directly captured and stored securely by Braintree (a PayPal company), our payments provider. Braintree is certified as PCI Level 1 compliant, and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security and compliance.

Application security monitoring

  • We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
  • We use technologies to monitor exceptions, logs and detect anomalies in our applications.
  • We collect and store comprehensive logs to provide an audit trail of our applications activity. Our logs are frequently reviewed by our security team to identify anomalies.
  • We use Sqreen to monitor our applications. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.

Application security protection

  • We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
  • We use security headers to protect our users from attacks. Our services have received an A grade from SecurityHeaders.io
  • We use Sqreen to integrate security in our applications and protect our users from data breaches. It integrates protections against the most critical attack categories like SQL injections, cross-site scripting and adds security headers to our application. It blocks attacks in real-time and warns us when attackers start stressing our applications.

Incident management

Our employees are trained on security incident response and are on call 24/7. Suspected security incidents, including logical and physical security breaches and other concerns should be immediately addressed to security@teamretro.com and will be ticketed, tracked and resolved following our Incident Response Policy.

Downtime reporting

Enterprise customers can elect to be notified of any problems via email. Our hosting platform usually obviates the need for downtime when we make changes to our services. However, we will notify customers by email at least 24 hours in advance of any planned downtime.

Your privacy, protected

Your data remains owned by you; and only accessible to those whom you to choose to share. TeamRetro (and the GroupMap Technology team) may only access your data in limited circumstances such as when required by law or to provide technical support. Full details can be found in the TeamRetro Privacy Policy.

Data retention and removal

We retain our users data for a period of 90 days after their trial or subscription ends. All data is then completely removed from the application. Users can request the removal of data at any time by deleting their account or contacting TeamRetro support. Read more about our privacy settings in our Privacy Policy

Business continuity and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. We capture a full backup of customer data every 12 hours. Backups are securely encrypted and stored for 30 days, at which point they are securely destroyed. We have established Business Continuity and Disaster Recovery plans and review them annually.

SSL Security

User Protection

Single sign-on

Single sign-on (SSO) via your SAML Identity Provider (IdP) is available for all TeamRetro customers.

Passwords – protected

TeamRetro passwords are stored salted and cryptographically hashed using the state-of-the-art bcrypt algorithm. TeamRetro enforces a minimum password complexity requirement using Dropbox’s ZXCVBN library, ensuring passwords are safely unguessable and unbreakable.

Account verification

Users are required to verify their ownership of an email address via a link provided in an automated email prior to using for a TeamRetro account. All users must be authenticated prior to gaining access to customer data.

Account takeover protection

We protect our users against data breaches by monitoring and blocking brute force attacks.

2-factor authentication

We allow for 2-factor authentication via Google or your SAML IdP to protect against account takeover attacks.

Role-based access control

Advanced role-based access control (RBAC) is offered on all accounts.

Suspicious user behavior monitoring

We use Sqreen to monitor suspicious behaviors and react fast in case of account takeovers. It also protects customers against data theft by blocking credential stuffing or brute force attacks.

SSL Security

Security Practices

Secure coding

Our developers are required to follow our formally documented Application Security Policy, and follow security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them has known vulnerabilities
  • We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  • We use Dynamic Application Security Testing (DAST) to scan our applications
  • By using Sqreen we can more efficiently remediate vulnerabilities that were triggered by security tests, audits or bug bounty programs. We are also warned when application components with known vulnerabilities are used in production (dependencies).

Penetration testing

We periodically commission independent penetration testing, validating the security of the TeamRetro platform. We fix all high or critical issues within a maximum of 7 days.

Risk assessments

An annual risk assessment is conducted to identify threats and vulnerabilities for TeamRetro systems. Mitigation strategies are developed based on the results of the risk assessment.

System hardening

SERVER CONTAINERIZATION – TeamRetro uses OS containerization via Heroku to ensure that access toTeamRetro data and code is properly restricted. All TeamRetro services run on dedicated compute resources isolated in their own virtual network.

SERVER EPHEMERAL FILESYSTEMS –  TeamRetro servers operate on an ephemeral filesystem, restored to a fresh copy of the most recently deployed code at minimum once per day, or every time a new version is deployed.

SYSTEM PATCHING – Platform-level patching (operating system, system libraries and services) of TeamRetro application and database servers is performed on an ongoing basis by Heroku. Further information.

APPLICATION PATCHING – Application patching (application libraries etc) is performed by TeamRetro on an ongoing basis.

COMPUTERS – All team assets (such as development laptops and desktops) utilize encrypted storage and are protected by up-to-date anti-virus software.

Comprehensive logging

We maintain comprehensive logs of every transaction on the system; with specific logging for login attempts. Our logs are frequently reviewed by our security team to identify attempted unauthorized access.

Our team’s access

  • Our strict internal procedure prevents any employee or administrator from gaining access to user data. We may only access your data in limited circumstances such as when required by law or to provide technical support. Full details can be found in our Privacy Policy.
  • Our employees and contractors sign a Non-Disclosure and Confidentiality Agreement to protect our customers sensitive information.
  • Our employees and contractors are screened by a leading background checking service.
  • The access level of each of our employees is determined by need, periodically reviewed and revoked if no longer necessary. We enforce multi-factor authentication for all critical TeamRetro systems.

Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

You can report vulnerabilities by contacting security@teamretro.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage

  • *.teamretro.com
  • *.eu.teamretro.com

Exclusions

  • feedback.teamretro.com
  • help.teamretro.com
  • mail.teamretro.com
  • status.teamretro.com
  • track.teamretro.com

Accepted vulnerabilities are the following

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

This bug bounty program does NOT include

  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user’s machine
SSL Security

Third Party Vendors

TeamRetro makes use of a number of third-party vendors to enable a rich online experience.

HerokuPlatform, database and backupsPrivacy  Security  Status
PusherReal-time data synchronizationPrivacy  Security  Status
Braintree PaymentsPayment processing and subscriptionsPrivacy  Security  Status
Amazon S3Asset storagePrivacy  Security  Status
ImgIXAsset resizingPrivacy  Status
SendGridTransactional emailsPrivacy  Security  Status
SqreenApplication securityPrivacy  Security  Status

GroupMap Technology (makers of TeamRetro) rely on industry-leading vendors like Google Apps  to provide services like corporate email security and corporate file security. Have a question or something to report? Drop us a line at security@teamretro.com