Security, Compliance and QA
Security and compliance are top priorities for Teamhood because they are fundamental to your experience with the product. Teamhood is committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access.
Teamhood uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Teamhood employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.
Security is directed by Teamhood’s Chief Technology Officer and maintained by Teamhood engineering team.
Physical access control
Teamhood is hosted in Microsoft Azure cloud platform and Teamhood is using Azure Security center to monitor and ensure highest security standards across all system layers of Teamhood cloud software.
Physical access to data centers and related infrastructure in Microsoft Azure is controlled by the measures listed here.
Physical access in Teamhood office is controlled by:
– Access cards
– Physical locks
– Security alarms in every office zone
– Vehicle access barriers
Teamhood employees do not have access to physical location of Microsoft Azure datacenters, servers, network, storage or equipment.
Logical access control
Teamhood is the assigned administrator of its infrastructure on Microsoft Azure cloud platform, and only designated authorized Teamhood engineering team members have access to configure the infrastructure on an as-needed basis behind a secure role controlled Azure AD authentication.
Quarterly access checks are performed to ensure minimal access exposure across all Teamhood employees.
Teamhood cloud platform system access is limited and access controlled respectability for roles in a need to access the system for valid business and technical reasons such as but not limited to customer support, disaster recovery, incident investigation, system upgrades and maintenance work.
Third party audit
Microsoft Azure undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification. Find full list here.
Business Continuity and Disaster Recovery
High Availability
Every part of the Teamhood service uses properly-provisioned, replicable and/or redundant servers/virtual machines for the case of failure. As part of regular maintenance, virtual machines are added or removed without interruption to service.
Business Continuity
Teamhood keeps hourly encrypted backups of data in Microsoft Azure datacenters. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups. Data loss and recovery from backup is regularly tested.
Disaster Recovery
In the event of a region-wide outage, Teamhood will bring up a duplicate environment in a different Microsoft Azure (Northern Europe, Central Europe or West Europe) region.
In the event of single tenant outage an identical copy of service will be provisioned automatically upon detection.
In the event of tenant data loss or accidental/intentional data deletion Teamhood L2 support will be able restore data from maintained backup repository upon customer request and agreement for which backup timestamp to pick.
Contingency Planning
Teamhood engineering team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in our internal wiki in case of unforeseen events, including disaster recovery, service outage and/or customer communication sub-plans that are tested and updated on a regular basis.
Employee hiring, operations and security training
All Teamhood employees undergo background checks prior to hiring. All Teamhood employees are introduced to Teamhood security policies during onboarding and informed about policy changes on event.
All Teamhood employees use most up to date workstations with domain level control and strict account control. Users are assigned as minimal as possible roles to perform assigned duties. Account control and periodic review is performed on quarterly basis.
Upon contract termination all user access rights are reworked on last day of employement. All hardware equipment is reacquired and either repurposed or utilized. Workstation user data is completely removed from workstations.
Data flow security
Data is sent securely to and from Teamhood via TLS to/from HTTPS endpoint. All data in transit is AES-256bit encrypted.
Data at rest security
All Teamhood databases are fully encrypted including their backups and logs. Real time threat protection is enabled and continuous vulnerability auditing is enabled.
Data backup policies
We continuously backup snapshots and database events. We provide capability to restore data from backup as PITR principle for past 7 days. We can restore data to timestamp with precision of minutes.
Observability and system operation status
Teamhood system is actively and continuously monitored with alerting and escalation procedures in place. Each Teamhood tenant can be monitored individually and operational status checks can be performed by Teamhood customers or upon request.
Data privacy and GDPR compliance
Data privacy and compliance to EU regulations are among top priorities at Teamhood. You can read more about our privacy policies here.
Internal security policies
Teamhood maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. Our security policies include but are not limited to the following:
– Information Security
– Security Incident Response
– Vulnerability Management and Security patching done at least monthly for all P1 systems
– Policy Management and Maintenance
– Data Request
– Change Management
– System Access
All employees performing duties with or close to SaaS solution have a access role assigned with as minimal as possible access right set.
Only entitled employees are able to access customer data and only for support functions. Employees cannot store copies of customer data on their workstations or any other media.
All workstations and SSD or HDD drivers on those workstations are utilized by secure utilization vendor as a service.
QA and Change management
Every Teamhood cloud system change undergoes the following process before being deployed to production:
- Acceptance testing in CI environment
- Smoke testing in CI environment
- Extended smoke testing and hallway testing in CI environment
- Canary release to Prod for designated tenants (our own company as well as other early adopters comprise the list of canary candidates, none of the customers are added to this list without approval or request)
- Full release to all Prod tenants
We are able to rollback or rollfoward to any specific version each tenant individually or full list. We can do targeted releases for single tenants upon necessity or request. But such procedure is limited to incident management and is not used on regular basis.
Roles based access control
Software engineer
Performs changes to Teamhood system code. Has access to testing environment. Has access to system and system lifecycle automations code.
Software quality engineer
Performs Teamhood system end user level testing. Has access to testing environment.
Devops engineer
Performs Teamhood software lifecycle management. Has access to all environments. Cannot perform Teamhood system code changes. Has access to system lifecycle automations code.
Release manager
Rotated role among devops engineers. Performs release management, incident handling/rollback. Has access to all environments.
Business system classification and risk management
Every system related by functionality or storing Teamhood related data or operating as part of Teamhood cloud infrastructure is classified from Critical to Low. System classification and risk assesment performed on yearly basis.
All systems in scope have dedicated procedures, SLA’s and risk management instrumentation setup based on their criticality.
| Critical | High | Medium | Low | |
| Availability | 99.9% | 99% | 98% | 95% |
| MTTR (Mean time to restore) | <2 hours | <1 business day | <2 business days | <5 business days |
| Recovery procedures | Must have | Must have | Must have | Should have |
| Backups | Multiple hourly and multiple daily (rolling) | Multiple, rolling (hourly) | Single, rolling (daily) | Optional |
| Vulnerability and threat assesment | Monthly | Quarterly | Quarterly | Yearly |
| Remediation of high risk findings | <30 days | <90 days | <90 days | <180 days |
| Remediation of medium risk findings | <90 days | <180 days | <365 days | <365 days |
| Change management (minor updates or patching) | Tested, duplicated, grace period pre-production | Tested on different non-production setup | Testing optional | Testing optional |
| Change management (major updates) | Tested on similar scope or identical non-production setup | Tested on different non-production setup | Tested on different non-production setup | Testing optional |
| Maximum supported level of information class | Confidential | Confidential | Internal | Internal but deidentified |
| System log review policy | Weekly, automated | Weekly, automated | Monthly, automated | Optional |
| System hardware device log review | Weekly, automated | Weekly, automated | Monthly, automated | Optional |