Security and Privacy FAQ
Whether you are a prospect or a current customer, this FAQ will provide valuable insights into how we deal with Information Security and Privacy at Templafy, and address commonly asked questions about our application and organizational security measures.
Application Security
Does Templafy conduct penetration testing of its network, infrastructure, and services?
Penetration testing is conducted to measure the security posture of Templafy Services and Infrastructure. Templafy has an external penetration test performed at least once per calendar year.
The objective of those penetration tests is to identify design or functionality issues in Templafy Services that could expose Data or Customers to risks from malicious activities.
Each external penetration test is performed by an internationally recognized, independent third-party software security testing company.
Each penetration test:
(i) encompasses both the internal and external network and authenticated application layer,
(ii) includes at least 80 hours of manual effort by the testing company,
(iii) probes for weaknesses in network perimeters or other infrastructure elements and any weaknesses in process or technical countermeasures relating to Templafy’s Services that could be exploited by a malicious party, and
(iv) identifies (at a minimum) the following security vulnerabilities: invalidated or unsanitized input; broken access control; broken authentication and session management; cross‐site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; denial of service; insecure configuration management; proper use of SSL/TLS; proper use of encryption; and anti‐virus reliability and testing.
Can customers conduct their own penetration tests?
Customer-led penetration testing can be conducted upon request at security@templafy.com and is subject to conditions prior to carrying out the tests.
Does Templafy conduct vulnerability scanning of its network, infrastructure, and services?
Vulnerability scanning is performed on a continuous basis by Templafy in accordance with the vulnerability management policy. Technologies used are:
- WhiteHat Security scanning for 24/7 web application dynamic application security testing (DAST),
- SonarCloud for static application security testing (SAST) before each release,
- Software Composition Analysis 24/7. We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.
- Renovate for ensuring that open-source dependencies always are the latest available version.
- Azure Security Center and Azure Monitor for daily infrastructure, network, and application vulnerability scanning. Retests and on-demand scans are performed on an as-needed basis.
Is there a formal Software Development Life Cycle (SDLC) process?
Templafy’s software development practices across each of the engineering teams are aligned with the Secure Development Lifecycle (SDLC) methodology and follow Scrum and Agile approaches.
Detailed policies and processes for the development of the Templafy Services have been designed with optimal security and quality in mind.
The principles of security by design and default are implemented and rooted in training, coaching, pair programming, code review comments, coding tools, and branch policies in Azure DevOps.
Templafy has implemented segregated environments for development, testing, and production as a means to support the segregation of duties and prevent unauthorized changes to production.
In addition, production data is not used or copied to non-production environments. Test scripts and synthetic data are created for use in the development and stage environments.
How does Templafy manage changes in the platform?
All application code changes are tested, peer-reviewed, and approved prior to implementation into production. The production and non-production environments are deployed in their own Azure Active Directory and their own Azure Subscriptions, thus completely separated, and changes are tested according to the nature of the change in an environment separate from production prior to deployment into a production release.
Tests include functionality unit testing, integration testing, smoke tests, manual regression testing, and load testing. Extensive security testing is conducted (see vulnerability management section).
All change requests are logged, whether approved or rejected, on a standardized central system. The approval of all change requests and the results thereof are documented. Access to migrate change to production requires formal approval and is restricted to authorized personnel. Code management tools enforce branch protection policies to help ensure users cannot bypass standard change controls.
Backup
What is the backup strategy in place?
For Templafy Services, tenant configuration data and binary data are backed up daily in SQL. In Templafy Hive, a 90-day Long-Term backup retention geo-redundant backup of SQL is available.
Data in storage accounts are written to three disks for redundancy per site and replicated across multiple sites.
The backup system automatically generates a backup log. A point-in-time restoration option is also enabled for up to 7 days, in which all changes can be restored with at most 10 minutes of data loss.
Access to backup data is restricted only to authorized personnel using Azure AD with multi-factor authentication.
Furthermore, all backups are encrypted using AES 256 encryption.
How long is the retention for backups?
Backups are retained for 90 days in SQL. For blob storage, we have enabled soft-delete, so data will be removed 30 days after deletion.
Does Templafy maintain offsite backups?
The Templafy solution is hosted using Microsoft Azure PaaS.
Templafy uses multi-site data centers with availability commitments to permit the resumption of Templafy Services in the event of a disaster or partial outage at its primary data center location.
Business Continuity and Disaster Recovery
How do you ensure the continuity of the Templafy platform?
The Templafy platform is deployed redundantly in primary and secondary Azure data centers in respective Azure data regions.
Templafy has created Disaster Recovery plans to cover all three general scenarios: malicious incidents (third-party or insider threat), accidental incidents (human error), and unavailability incidents (Azure outages that affect our product). Templafy's business continuity plans are reviewed annually and updated, if necessary.
Do you perform disaster recovery tests?
Templafy conducts testing of the business continuity and disaster recovery plans annually. Any issues identified during testing are resolved, and plans are updated accordingly. Testing of plans includes failing over a server and restoring backups.
What are the Recovery Time Objective and the Recovery Point Objective?
- The Recovery Time Objective (RTO) for the Templafy Platform is 24 hours.
- The Recovery Point Objective (RPO) for the Templafy Platform is 24 hours
Data Security
Is data encrypted at rest?
Data is encrypted at rest using AES 256.
Is data encrypted in transit?
Data is encrypted in transit using minimum TLS 1.2.
How are encryption keys managed?
The key management of Service-Managed keys for data at rest encryption is performed by Azure. The certificates used for data in transit encryption are managed using Azure Key Vault by Templafy and are subject to Templafy's cryptography policy.
Where is data stored?
Templafy is clustered into regions to provide enhanced availability, customers can select a region for data storage. Once selected, the data storage cannot be moved.
| Function | Description |
|---|---|
| Public Cloud Service Provider Microsoft Azure | One - North Europe (Primary) and West Europe (Secondary) Hive - West Europe (Primary) and North Europe (Secondary) - East US (Primary) and West US (Secondary) - Australia East (Primary) and Australia Southeast (Secondary) - Central Canada |
What is the data retention for the data stored in the platform?
Customer data is deleted from the platform 90 days after contract termination.
Identity and Access Management
How do users and administrators gain access to the application?
Templafy supports just-in-time user-provisioning and SSO on-boarding against Azure AD, ADFS, SAML2, WS federation, Google Authentication (OAuth 2.0), and Azure AD (OpenID Connect).
Does Templafy support SCIM?
Yes, please refer to this article on our Knowledge Base.
Does Templafy use Role-Based Access Control?
Yes, please refer to this article on our Knowledge Base.
Is access logged?
Templafy offers activity logs to all customers. These logs include:
- User management activity log
- Space members' activity log (if spaces are used)
- Library admin activity log
- Email signature activity log
These logs are available in the admin center of the customer's tenant. To learn more about logs see here.
Incident Management
Does Templafy have a defined cybersecurity incident management process?
In the event of such a Security Incident, Templafy shall provide you with a detailed description of the Security Incident and the type of Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority.
Templafy shall without undue delay (and in any event within thirty-six (36) hours) inform the affected customer in writing, whenever Templafy reasonably believes that there has been an Information Security Incident.
Templafy shall inform the customer with as many details as known at that time (and regularly update the customer thereafter in writing or by email followed by a written notification) setting out in reasonable detail, without limitation, the nature of the information compromised, threatened, or potentially compromised, the specific information compromised or potentially compromised and of all events which may adversely affect the Vendor's ability to provide the Service.
Following such notification, Templafy will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident.
Templafy will assist and cooperate with affected customers with any necessary or appropriate disclosures and other investigative, remedial, and monitoring measures as a result of the security incident.
Does Templafy have external reporting procedures in place for cybersecurity or privacy incidents?
Incident report is handled as part of our incident management process, whereby incidents impacting customers are reported to respective customers.
For privacy-specific incidents, the process is governed by the DPA customers, and authorities are informed as required by the law.
How can incidents be reported?
Incidents can be reported through our Incident Reporting form or through our security@templafy.com email.
What SLA is offered for the solution?
SLA: 99,5%
Please see here to monitor our uptime.
Organizational Security
Does Templafy have a cybersecurity awareness training program in place?
Mandatory general security training is provided at onboarding to all employees and contractors. Mandatory training on a specific security topic is also provided annually.
Does Templafy have a department with oversight of information security?
The Information Security department at Templafy is managed by a CISO. The department includes members dedicated to the areas of Privacy, Governance, Risk, Compliance, and Technical Operations.
Does Templafy perform background checks and screening prior to employment?
All employees undergo a background check prior to employment.
How are responsibilities allocated between Templafy, the customer, and Microsoft Azure?
Please refer to this article on our Knowledge Base.
Physical Security
How do you manage data center security?
Templafy's service data is hosted in Microsoft Azure data centers. MS Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. Please refer to this link for more details.
The data center's physical infrastructure is operated by Azure and we rely on their data center security controls.
Access controls are implemented, including biometric controls, CCTV is active across the data center perimeters and access points are staffed with security officers.
Please refer to this link for more details on the physical security measures implemented in Microsoft Azure data centers. We monitor the compliance of these controls through independent security attestations and reports.
Have you implemented physical security controls at your offices?
Templafy maintains a physical and environmental policy for its offices to ensure the security and integrity of Templafy’s facilities and the assets located within.
Templafy offices have industry-standard physical security protection with secure access, burglary alarm, motion detectors, etc.
Further visitors to secure areas are required to sign in and out with arrival and departure times, are required to wear an identification badge, and are always escorted while in secure areas.
Privacy
How does Templafy help customers comply with GDPR?
We maintain internal policies and procedures to help our customers comply with the GDPR, including by providing our customers with the following information about Templafy’s privacy and data security practices:
Data processing
Templafy will only process individuals’ personal data based on the written instructions we receive from customers – which are contained in the Master Services Agreement and Data Processing Agreement.
Security
Templafy implements appropriate technical and organizational measures to meet the GDPR’s requirements to protect individuals’ privacy.
Security measures are described in Templafy's SOC 2 (available as of the Effective Date at: https://www.templafy.com/soc-2-request/) and additionally set forth in the data processing agreement.
Assistance with privacy requests
Templafy will provide appropriate technical and organizational measures to help customers respond to inquiries from individuals that wish to exercise their privacy rights.
For example, Templafy will assist customers in responding to requests to access, correct, or delete an individual’s personal data. If you have received a privacy request from an individual, please email us at privacy@templafy.com. If we receive a privacy request directly from an individual, we forward the request to the appropriate customer.
Data retention
Templafy will only process individuals’ personal data for as long as necessary and will delete your organization’s personal data after our business relationship concludes and according to our retention period, as set out in the Data Processing Agreement.
What agreement can customers enter into with Templafy that covers the privacy of customers' personal data?
You can review Templafy's Data Processing Agreement at the following link, execute it with your AM or email us at privacy@templafy.com.
For those who do not have an executed Data Processing Agreement, the following link will govern this important part of our relationship.
Does Templafy use sub-processors in the provision of the services?
Templafy may use sub-processors, including affiliates of Templafy, as well as third-party companies, to provide, secure, or improve the Services, and such sub-processors may have access to Client Data.
Our Data Processing Agreement - Exhibit 3 provides an up-to-date list of the names and locations of all sub-processors.
How can customers contact Templafy's DPO?
Attn: Margrét Due
Head of Privacy
Wilders Plads 15A
1403 Copenhagen K
Denmark;
privacy@templafy.com
How has Templafy responded to Schrems II?
The EU General Data Protection Regulation (GDPR) was adopted to facilitate the free flow of personal data within the European Union while preserving the right to the protection of such data. In the recent judgment (Schrems II) the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes.
Templafy performs due diligence on the information security practices and data protection compliance of all third-party Subprocessors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data.
We have thoroughly vetted their data protection and security measures to ensure that they meet the same high standards that we hold ourselves to.
Furthermore, Templafy has (a) SCCs in place with these sub-processors; (b) undertaken a transfer impact assessment (“TIA”) of the laws of the US and concluded that customer data will be afforded adequate protection under the SCCs; and (c) the recent European Commission (“EC”) draft “privacy shield 2” adequacy decision has found that US laws now offer sufficient protections from US government access.
Furthermore, we have created an access filter within our product that will deny all access requests originating from countries without an adequacy decision by the European Commission. Please see more about this filter here.
Does Templafy have a transparency report?
Templafy can provide updated information relating to law enforcement requests for customer information upon request. As of 12/01/2023, we have received the following requests:
| Type of Request | Number of Requests | Content Data Disclosed | Non-Content Data Disclosed |
|---|---|---|---|
| Subpoena | 0 | 0 | 0 |
| Court Order | 0 | 0 | 0 |
| Search Warrant | 0 | 0 | 0 |
| Emergency Requests | 0 | 0 | 0 |