# Security and Data Privacy
## TSANet Security Committee
## TSANet Security & Data Protection
The system was designed to reduce the risk of storing sensitive information about our Members Employees or Customers. To accomplish this the following decisions and policies were created.
* System maintains basic contact details (Name, Email, Phone)
* Al Pii data removed after 30 days
* Only endpoint meta-data is stored in the system
* TSANet maintains industry security standards (ISO27001, 27701)
* The system does not store attachments. Secure files sent directly to Member's system
* The system Supports Single Sign-on and API integration
## ISO27001 / ISO27701 Certification
ISO27701 and ISO27701 are globally recognized standards mandating processes and controls for the establishment, maintenance, and certification of information security management systems (ISMS) and privacy information management systems (PIMS).
* [ISO27001 Certification](https://www.tsanet.org/wp-content/uploads/2024/11/IS-744784-001_2024.pdf)
* [ISO27701 Certification](https://www.tsanet.org/wp-content/uploads/2024/11/PM-767609-001_27701.pdf)
## TSANet Accessibility Policy
We strive to make our website as accessible and usable as possible. We follow Section 508 and the Web Content Accessibility Guidelines (WCAG 2.0) produced by the World Wide Web Consortium (W3C, the web’s governing body).
Section 508 is a legal requirement and WCAG is a set of checkpoints and guidelines that help ensure that websites are designed and written correctly. For example:
* Images have alternative text (so if you can’t see the image you can still read the text).
* The color contrast between the foreground and background is sufficiently strong.
* Text resizes according to user preference.
* Headings are correctly used (they’re not just ordinary text made to look big and bold).
* Links make sense by themselves (e.g. no links that say “Click here” or “More…”).
* Tables are used for laying out tabular information and have proper headings and summaries.
### Feedback
If you have a problem using our site, please [contact us](https://app.gitbook.com/o/eKqWTg8DAaWDMojEgPui/s/EQf8VrtfQ4uTge9KlGja/) and provide the URL (web address) of the material you tried to access and the problem you experienced. We’ll attempt to provide the information you’re seeking.
## Data Privacy FAQs
What document defines the TSANet Data Protection and Privacy?
View TSANet Data Protection & Privacy Statement at What legal documents define how TSANet and Members work together to solve common customer issues?
View legal documents including the code of conduct at
Members can also setup private groups with thier own legal addendum
What Employee information do you store in the system?
The user profile requires Name, Email and optional Phone number. Members can also use Single Sign-on from their own identity management systems including support for just in time user provisioning and can control what information is sent to the TSANet Connect system.
What Customer information do you store in the system?
Members can define what common customer information they require when receiving a request. All customer data is removed from the system after acknowledgement and the\
system will remove all customer data after 30 days leaving only the request metadata below:
**Submitted By, Case Number, Priority, Summary, Date Requested, Date responded**
Do you encrypt data in transit and at rest?
Data in transit is encrypted with SSL and data is encrypted at rest with AES-256.
How does TSANet protect Data Access?
Access to data is user-based. Below are the details on how this is implemented.
1. An API user is configured within the account. API access is restricted to this user
2. This user credential is used to obtain a JWT token that is used to secure all API calls, "Bearer authentication header" (This token must be refreshed as it expires in 1 hour)
3. Access to the TSANet case (notes) is protected by a combination of the API user (Account) and the TSANet Case Token that also includes (Account)
4. Any invalid requests return an “unauthorized access” error.
This is tested as part of the release process and by an external 3rd-party security team during penetration testing (Part of ISO27001 certification)
How was your system developed?
The system was developed using best practices defined in the OWASP Secure coding practices guide. The Open Web Application Security project OWASP defines best practices for coding secure web applications. For more information on OWASP see
Some specifics of this best practice include:
1. Best practices for administration of the system including 2-factor authentication to all\
development and system administration environments
2. Encryption on the transmission of all data
3. Best practices for API development and access
What is your Network and Host Security?
TSANet Connect uses [Cloudflare](https://www.cloudflare.com/) for network, Host and API security.
A Zero trust model is used
What is your system uptime and support process?
The system is designed to provide 99.99% uptime. [Uptime and Support process](https://app.gitbook.com/s/EQf8VrtfQ4uTge9KlGja/)
What organizational measures have you implemented to protect Sensitive Data or Personal Data in relation to its product/service?Is all media containing Sensitive Data or Personal Data disposed of securely?
100% cloud service. No physical media
Is antivirus/anti-malware deployed on all devices that will hold Sensitive Data or Personal Data?
100% cloud service. No physical media
Does the company have intrusion detection and/or intrusion prevention systems?
Part of hosted Cloud Service
Do you keep applications (web, app servers, database layer, bus logic) up-to-date by applying security updates and other patches?
Part of the release process. ISO27001 Certified
Do you conduct Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) of the application periodically, or during a major release/update?
DAST is outsourced to Security Metrics - Quarterly automated and yearly manual
Do you perform penetration testing and/or vulnerability scans of applications that will be utilized to provide services ?
Cloudflare zero trust protected. Quarterly scans and yearly manual
Are vulnerability scans conducted against the perimeter of all networks that will hold Sensitive Data or Personal Data?
Cloudflare Zero Trust
Are Development, Test/QA/UAT, and Staging environment/s separate from the production environment?
Physically separated: Separate VMs in different Geo.
Do you provide access to the application on a least privilege basis?
Default is Standard user. Business manager defines admins
What is included in API security testing?
Data scoping, SQL injection, Replay attack, Data leakage, Cross Site Scripting (XSS), Session abuse, Denial of service (DoS), OWASP top 10/ CWE top 25 security issues
Can a client manage access to the APIs?
API user is set in the admin Portal
Is there an incident response plan?
Yes, Part of ISO 27001 audit
Is there an established Business Continuity and Disaster Recovery Plan that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program?
Yes, part of the ISO 27001 audit
Does your service/organization permit Members to maintain redundant copy(ies) of their data?
With System connectors (Salesforce, Microsoft Dynamics, Service Now)
Are network security technologies used to establish and enforce security requirements and block unauthorized traffic between segregated systems and other systems?
Cloudflare Zero Trust
