Security and Privacy

Introduction

We take Thoughtexchange security seriously. The security of your data is one of our most important responsibilities. This document explains what we do to keep your data secure.

Personnel security

All employees and independent contractors who work with Thoughtexchange and have access to our internal systems are required to understand and follow our internal policies and standards. Before accessing our systems, all workers agree to confidentiality terms and attend security training. This training covers privacy and security, acceptable use, preventing malware, account management, physical security and data privacy.

While working with Thoughtexchange, everyone is required to refresh privacy and security training annually. They are also required to acknowledge that they have read and understand our information security policy and incident response plan. Some employees who have elevated access to our systems and data receive additional job-specific training on privacy and security.

Upon termination of work at Thoughtexchange, all access to Thoughtexchange systems is removed immediately.

Physical security

Thoughtexchange is hosted with Amazon Web Services (AWS) in their Canadian Region. AWS delivers a scalable, cloud-computing platform designed for high availability and dependability. Among the many benefits of using cloud services, a big one is that expensive physical security systems can be implemented, as the cost of these is spread across thousands of customers.

Secure by design

Thoughtexchange follows a Secure Development Lifecycle. During the design phase, our product team assess and qualify any possible security issues. The risk analysis leverages the product team’s experience and aligns with OWASP Top 10 development practices.

All code is checked into our version-controlled repository, and code changes are reviewed by peers. Thoughtexchange has a dedicated application testing team, and all software releases pass rigorous testing before being released to production.

The Thoughtexchange application is deployed on hardened systems, and our development operations team follow recommended practices to secure our OS and web servers. We perform active inspection of vulnerabilities and maintain server-level firewalls.

Our web application performs input validation and safely encodes output. All data transmitted between client and server is done via HTTPS. The Thoughtexchange application uses server-side sessions with defined user roles, user authentication and password management.

Protecting customer data

Service Organization Control (SOC) 2 Report

Thoughtexchange has undergone a SOC 2 audit with A-LIGN.

The SOC 2 report demonstrates our commitment to meeting security, availability and confidentiality standards. It verifies Thoughtexchange security controls are in accordance with the AICPA Trust Services Principles and Criteria.

Thoughexchange’s SOC 2 report is available upon request from your Account Representative.

Data encryption

Thoughtexchange uses strong encryption when transmitting data over public networks, including the use of TLS 1.2 and 1.2 protocols, AES-256 encryption and SHA signatures. This is the standard internet communication encryption used by all e-commerce sites, banking and other high security web-based systems.

We use AWS RDS encryption (we encrypt our database and snapshots). Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance.

Backups

Thoughtexchange maintains nightly backups of all data, database and customer specific files. We maintain redundant copies at a second Canadian hosting provider. In the event of any data loss, we are able to restore our database and other data from these backups. Our development operations team practices data recovery regularly.

Penetration testing

Thoughtexchange regularly performs application and infrastructure penetration testing. Our security and development team review and prioritize any reported findings. All high and medium-priority issues are resolved before being released to our production environment.

Network security

Thoughtexchange maintains separate network environments to protect more sensitive data. Systems supporting testing, development, marketing, customer results sites and our corporate network are separate from our production systems. Administration access to our production systems is limited to our development operations team.

File sharing

When sharing reports and receiving participant lists from our customers, Thoughtexchange uses Sync (sync.com) which provides secure and private data storage and transfer in Canada. Sync allows us to provide secure links with zero-knowledge, end-to-end encryption. This means only you and your professional services manager can see your data.

Authentication

Where possible, Thoughtexchange uses multi-factor authentication. This includes administration access to production systems, 3rd-party SaaS providers and internal business systems. Thoughtexchange encourages employees to use an approved password manager to create complex, unique passwords for all systems and services they use.

The Thoughtexchange application requires a strong password and is rate limited to prevent against possible attacks.

System monitoring, logging and alerting

Thoughtexchange actively monitors servers, workstations and mobile devices for possible vulnerabilities and attacks. We maintain user activity logs, server logs and audit logs for all systems. Alerts are examined and acted upon based on priority.

Virus scanning

When files are uploaded into the Thoughtexchange application, they are scanned by our redundant ClamAV instances before they are made available. If a virus is detected, the file is quarantined and a replacement file is put in place to let the exchange leader know to contact our support team. Virus definitions are updated hourly.

Endpoint monitoring and computer security

Thoughtexchange workstations run monitoring tools that can detect malware, virus activity and unsafe configurations. Workstations are required to encrypt data, have strong passwords and lock when idle. Our IT team monitors alerts and resolves any significant issues based on priority.

Mobile device management

Mobile devices that are used at Thoughtexchange are centrally managed and required to be enrolled in our mobile device management system.

Data confidentiality

Our subscription agreement and terms of use require us to maintain the confidentiality of all ‘information’ provided by our customers. This ‘information’ includes both content stored in the Thoughtexchange application and ‘information’ provided to us by our customers in phone calls, meetings, email, etc. More information can be found in our Terms of Use.

Protected data and personally identifiable information

Thoughtexchange maintains policies regarding data security and individual privacy protection. We protect our customers’ and participants’ data with the same care as we protect our own confidential data.

Thoughtexchange has internal controls in place to ensure protected data is safeguarded in accordance with applicable laws based on country, state and provincial regulations, including, but not limited to GDPR, PIPEDA, FERPA, CIPA, PPRA and COPPA.

Participant privacy and terms of use

Our Terms of Use include our privacy policy for participants’ information.

In summary, our privacy policy is that participants’ input (thoughts, stars or other data they provide) can be made public as part of our process; their identity (email address, name and other identifying information) is shared between our customer and Thoughtexchange. The association of identity to input (i.e. who said what thought) is kept private by us, except as required by legal considerations.

Data removal

Customer and participant data can be removed upon request by contacting our support team. Backups are purged every 30 days. Thoughtexchange relies on our hosting providers to remove data from disks used by Thoughtexchange before they are repurposed.

Information security incident management

Thoughtexchange maintains security incident response policies and procedures covering initial response, investigation and customer notification. We review these policies annually.

Breach notification

Thoughtexchange makes its best efforts to protect your data; however no method is perfect, and we cannot guarantee absolute security. If Thoughtexchange learns of a security breach, we will notify all affected users. Our breach notification procedures are consistent with our country, state and provincial obligations.

3rd-party suppliers

Thoughtexchange relies on 3rd-party suppliers like Amazon Web Services, Microsoft Azure and Sendgrid to provide our services. Thoughtexchange ensures that our suppliers adhere to our data and confidentiality agreements and perform reviews annually.