thirdstream Security Information
At thirdstream, we take security very seriously. We believe that our customers' security and compliance posture should start with our own. As such, we have established policies and controls to ensure that our security and privacy are always maintained.
Governance
Our Security and Privacy teams are responsible for establishing policies and controls, monitoring compliance, and proving our security and compliance to third-party auditors. Our policies are based on the following principles:
-
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
-
Security controls should be implemented and layered according to the principle of defense-in-depth.
-
Security controls should be applied consistently across all areas of the enterprise.
-
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Data Protection
At thirdstream, we make sure that data is protected both at rest and in transit. All datastores with customer data is encrypted at rest. Sensitive collections and tables also use row-level encryption. Additionally, we use TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks, and we employ features such as HSTS to maximize the security of our data in transit.
Secret Management
Encryption keys are managed via Azure Key Vault. Key Vault stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Microsoft and thirdstream. Application secrets are encrypted and stored securely, and access to these values is strictly limited.
Product Security
We take a proactive approach to product security. We engage with one of the best penetration testing consulting firms in the industry at least annually, and all areas of the Vanta product and cloud infrastructure are in-scope for these assessments. We also require vulnerability scanning at key stages of our Software Development Lifecycle (SDLC), including static analysis testing of code, software composition analysis, malicious dependency scanning, dynamic analysis of running applications, network vulnerability scanning, and external attack surface management.
Enterprise Security
All corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates. Our employees undergo comprehensive security training upon onboarding and annually, and our security team shares regular threat briefings to keep them informed of important security and safety-related updates.
Identity and Access Management
We use Okta to secure our identity and access management. We enforce the use of phishing-resistant authentication factors, using WebAuth exclusively wherever possible. Access to applications is granted based on an employee's role and automatically deprovisioned upon termination of employment.
Data Privacy
At thirdstream, data privacy is a top priority. We strive to be trustworthy stewards of all sensitive data. We evaluate updates to regulatory and emerging frameworks continuously to evolve our program.
To learn more about our privacy policy, please visit www.thirdstream.ca/policy.