TechTree Security

 

1. Introduction

Recruitment and HR information is vital to your business and we regard the security of customer data with utmost seriousness. We operate TechTree utilizing thoroughly fortified infrastructure-as-a-service (IaaS) platforms from Google Cloud Platform.

2. Product Security

Authentication

TechTree enables authentication from Google Workspace (previously GSuite), as well as email and password authentication utilizing ISO 27001 certified IAM provider.

Permissions

TechTree incorporates a versatile permission framework. It comprises separate layers: role management and data permission layer. The former allows the system administrator to designate users specific roles that broaden or constrain their available functionalities. The data permission system, conversely, presents a possibility of granular ACL access type for entities like organizations, projects or contact lists shared with a particular user.

3. Physical Security

TechTree production information is processed and maintained within data centers that adhere to industry-leading security practices.

4. System Security

Servers and Networking

All TechTree servers and structured datastores employ managed infrastructure services provided and safeguarded by Google Cloud Platform.

Our web servers encrypt information in transit utilizing the industry standard for HTTPS security (TLS 1.2 and TLS 1.3) to shield requests against eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA or 256 bit ECDSA, signed with SHA256.

Storage

All persistent information is encrypted at rest utilizing industry-standard algorithms offered by IaaS provider (GCP).

5. Operational Security

Policies

TechTree has established a comprehensive collection of security policies covering various topics. These policies are updated frequently and distributed to all employees.

Employee Training

All TechTree employees receive training on security best practices and awareness during onboarding.

Employee Access

We utilize IAM system to manage and verify employee account identities that access critical infrastructure or customer data.

Access to administrative interfaces additionally enforces administrator permissions where applicable, and all administrative access is logged and auditable both in the form of traditional web server logs and session recordings to facilitate finding and reviewing any administrative activities with complete fidelity.

All employee contracts incorporate a confidentiality agreement.

Code Reviews and Production Deployment

All modifications to source code are subject to testing and any that impact security require pre-commit code review by a qualified engineering peer that encompasses security, performance, and potential-for-abuse analysis. All code is deployed to a staging environment for quality assurance and automated tests must succeed prior to updating production services.

Service Levels, Backups, and Recovery

TechTree infrastructure leverages multiple and layered techniques for increasingly reliable uptime, including the use of load balancing and task queues. TechTree employs highly redundant datastores, rapid recovery infrastructure, and point-in-time backups making unintentional loss of customer data highly improbable.

6. Application Security

Server and Client Hardening

TechTree servers utilize Cloudflare and Google Cloud Platform managed infrastructure which implement firewalls to restrict system access from external and internal networks, DDoS mitigation, spoofing and sniffing protections, and port scanning. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and searchable by operations staff.

Client code implements multiple techniques to ensure that utilizing the TechTree app is secure and that requests are authentic, including XSS and CSRF protection, signed and encrypted user authentication cookies, and session expiration.

7. Incident Reporting

Incident Response

TechTree executes a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Responsible Disclosure

TechTree maintains a Responsible Vulnerability Disclosure program. You can review more details about our program, the rules of engagement, and how to submit vulnerability reports at www.TechTree.dev/disclosure.

If you have a security concern, question, or are aware of an incident, please send an email to security@TechTree.dev, a carefully controlled and monitored email account.