Last updated: July 12, 2021
TestFreaks (‘the Company’) is committed to the security of your data, and to the protection of all personal data on our platform.
Data is stored with Amazon Web Services (AWS) cloud services. For more information about AWS security and compliance, see their AWS Cloud Compliance documents.
Best practice is followed to control access to the cloud services, including multi-factor authentication, root access keys deleted and replaced with individual IAM users, passwords policies applied where possible, restrictive firewall rules and network segmentation, and regular review of access.
TestFreaks staff can only access data which they have a legitimate need to access. All staff and consultants with access to sensitive data has signed confidentiality agreements and are required to acknowledge compliance with our confidentiality and privacy policies.
Personal data exposed through our portal is sent with TLS encryption. The portal has individual user accounts with fine-grained access control, managed by the customer’s representative. Access lists are sent for regular review.
Any digital media containing personal data (including backups) is permanently destroyed to avoid unauthorized access to information when the media is no longer needed or no longer fully functional.
Consent. Individuals must be give consent to personal data processing. Such request should be given in clear and plain language, and it can be withdrawn later. Usually this takes place before the individual and his/her data ends up on TestFreaks platform, but TestFreaks can help manage this process by storing record of consent, including what version of the term the user gave consent to, and asking for additional consent when necessary. TestFreaks makes it easy for users to opt-out from additional processing and communication.
Breach Notification. TestFreaks will notify its customers without undue delay when becoming aware of a data breach relating to individual data or other sensitive data. TestFreaks will also notify supervising authority and data subjects in accordance with relevant regulations.
Right to Access. Under GDPR, individuals can get access to the personal data stored about them free of charge. TestFreaks is compliant, and can manage the direct contact with individuals, or by providing the data through the data controller.
Data Erasure. GDPR also entitles individuals to have the his/her personal data erased. Again, TestFreaks implements this either with direct contact, or through the data controller.
Data Minimisation and Privacy By Design. TestFreaks allows fine-grained control over how data is automatically deleted or anonymized.
For enterprise customers, TestFreaks can sign separate customized data processor agreements.
Subprocessors hosting the Company’s production infrastructure (‘hosting providers’) manage the physical security of the facilities that host the development and production environments. Each hosting provider’s System and Organization Control (SOC) 2 report details the security measures in place; The Company reviews these reports annually. Further, physical security is enforced at the Company’s corporate office. Entrances to the office are locked and required authorized badge for entry.
Devices issued to company personnel must meet minimum security criteria that include being locked when unattended. Development and production servers are configured to a baseline via configuration management tools, such as Puppet. Office networks grant no elevated access to the development or production environments. The development and production environments use firewalls and multi-factor authentication to isolate themselves from the Internet. Additional security measures are undertaken in accordance with the risk management program described above.
Access to internal systems, including web-based tools and the development and production environments, is granted based upon job responsibilities, and revoked upon termination. Access to the System production environment and source code is reviewed quarterly by management. Two-factor authentication is required to access the production environment, source code and hosting provider interfaces
Access to sensitive customer data is restricted to Service Engineering personnel with credentials to access such data. All access by non-Service Engineering personnel requires management authorization or explicit customer approval. Company personnel are not authorized to store customer data on laptops, phones, USB drives, or any other device or portable media outside of the Company’s data center. Instead, non-sensitive user data is accessed via web-based tools. Access to these tools is managed centrally and may be revoked at any time.
Code changes are tested in the development environment, committed to a source code management system that logs all changes in perpetuity, and reviewed through automated testing or by peers. Major releases are tested by QA before deployment.
An incident response plan defines roles, responsibilities, escalation paths, and communication requirements in case of incidents that affect the security, availability, or confidentiality of the System. Incidents impacting security and confidentiality of customer data are communicated to the impacted customers as per the Terms of Services (‘ToS’), pertinent contractual obligations, and Security policies published on the Company’s website.
The Company values reliability and simplicity in its infrastructure. The System is hosted in multiple availability zones. Availability zones are designed to fail independently, thus allowing the System to remain available when any single availability zone fails. Additionally, at least every 90 days, the Company practices recovery from backup, as would occur in the case of a complete failure and a requirement to move the System to a different region altogether.