Security and Privacy
We take ThoughtExchange security seriously. The security of your data is one of our most important responsibilities. This document explains what we do to keep your data secure.
All employees and independent contractors who work with ThoughtExchange and have access to our internal systems are required to understand and follow our internal policies and standards. Before accessing our systems, all workers agree to confidentiality terms and attend security training. This training covers privacy and security, acceptable use, preventing malware, account management, physical security and data privacy.
While working with ThoughtExchange, everyone is required to refresh privacy and security training annually. They are also required to acknowledge that they have read and understand our information security policy and incident response plan. Some employees who have elevated access to our systems and data receive additional job-specific training on privacy and security.
Upon termination of work at ThoughtExchange, all access to ThoughtExchange systems is removed immediately.
ThoughtExchange is hosted with Amazon Web Services (AWS) in their Canadian Region. AWS delivers a scalable, cloud-computing platform designed for high availability and dependability. Among the many benefits of using cloud services, a big one is that expensive physical security systems can be implemented, as the cost of these is spread across thousands of customers.
Secure by design
ThoughtExchange follows a Secure Development Lifecycle. During the design phase, our product team assess and qualify any possible security issues. The risk analysis leverages the product team’s experience and aligns with OWASP Top 10 development practices.
All code is checked into our version-controlled repository, and code changes are reviewed by peers. ThoughtExchange has a dedicated application testing team, and all software releases pass rigorous testing before being released to production.
The ThoughtExchange application is deployed on hardened systems, and our development operations team follow recommended practices to secure our OS and web servers. We perform active inspection of vulnerabilities and maintain server-level firewalls.
Our web application performs input validation and safely encodes output. All data transmitted between client and server is done via HTTPS. The ThoughtExchange application uses server-side sessions with defined user roles, user authentication and password management.
Protecting customer data
Service Organization Control (SOC) 2 Type 2
ThoughtExchange fulfills ongoing SOC 2 Type 2 audits through an independent auditor.
SOC 2 Type 2 demonstrates our continuous commitment to meeting security, availability and confidentiality standards. It verifies ThoughtExchange security controls are in accordance with the AICPA Trust Services Principles and Criteria.
ThoughtExchange’s SOC 2 Type 2 report is available upon request from your Account Representative.
ThoughtExchange uses strong encryption when transmitting data over public networks, including the use of TLS 1.2 and 1.3 protocols, AES-256 encryption and SHA signatures. This is the standard internet communication encryption used by all e-commerce sites, banking and other high security web-based systems.
We use AWS RDS encryption (we encrypt our database and snapshots). Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance.
ThoughtExchange maintains nightly backups of all data, database and customer specific files. We maintain redundant copies at a second Canadian hosting provider. In the event of any data loss, we are able to restore our database and other data from these backups. Our development operations team practices data recovery regularly.
ThoughtExchange regularly performs application and infrastructure penetration testing. Our security and development team review and prioritize any reported findings. All high and medium-priority issues are resolved before being released to our production environment.
ThoughtExchange maintains separate network environments to protect more sensitive data. Systems supporting testing, development, marketing, customer results sites and our corporate network are separate from our production systems. Administration access to our production systems is limited to our development operations team.
When sharing reports and receiving participant lists from our customers, ThoughtExchange uses Sync (sync.com) which provides secure and private data storage and transfer in Canada. Sync allows us to provide secure links with zero-knowledge, end-to-end encryption. This means only you and your professional services manager can see your data.
Where possible, ThoughtExchange uses multi-factor authentication. This includes administration access to production systems, 3rd-party SaaS providers and internal business systems. ThoughtExchange encourages employees to use an approved password manager to create complex, unique passwords for all systems and services they use.
The ThoughtExchange application requires a strong password and is rate limited to prevent against possible attacks.
System monitoring, logging and alerting
ThoughtExchange actively monitors servers, workstations and mobile devices for possible vulnerabilities and attacks. We maintain user activity logs, server logs and audit logs for all systems. Alerts are examined and acted upon based on priority.
When files are uploaded into the ThoughtExchange application, they are scanned by our redundant ClamAV instances before they are made available. If a virus is detected, the file is quarantined and a replacement file is put in place to let the exchange leader know to contact our support team. Virus definitions are updated hourly.
Endpoint monitoring and computer security
ThoughtExchange workstations run monitoring tools that can detect malware, virus activity and unsafe configurations. Workstations are required to encrypt data, have strong passwords and lock when idle. Our IT team monitors alerts and resolves any significant issues based on priority.
Mobile device management
Mobile devices that are used at ThoughtExchange are centrally managed and required to be enrolled in our mobile device management system.
Protected data and personally identifiable information
ThoughtExchange maintains policies regarding data security and individual privacy protection. We protect our customers’ and participants’ data with the same care as we protect our own confidential data.
ThoughtExchange has internal controls in place to ensure protected data is safeguarded in accordance with applicable laws based on country, state and provincial regulations, including, but not limited to GDPR, PIPEDA, FERPA, CIPA, PPRA and COPPA.
Customer and participant data can be removed upon request by contacting our support team. Backups are purged every 30 days. ThoughtExchange relies on our hosting providers to remove data from disks used by ThoughtExchange before they are repurposed.
Information security incident management
ThoughtExchange maintains security incident response policies and procedures covering initial response, investigation and customer notification. We review these policies annually.
ThoughtExchange makes its best efforts to protect your data; however no method is perfect, and we cannot guarantee absolute security. If ThoughtExchange learns of a security breach, we will notify all affected users. Our breach notification procedures are consistent with our country, state and provincial obligations.
ThoughtExchange relies on 3rd-party suppliers like Amazon Web Services, Microsoft Azure and Sendgrid to provide our services. ThoughtExchange ensures that our suppliers adhere to our data and confidentiality agreements and perform reviews annually.