As a fast-growing European company, Teamleader takes data security very seriously. This article defines what data security is about, and outlines a series of measures our Product and Engineering team has taken to ensure full security of the data our users entrust us with.
What is data security?
Data security or data protection is the practice of keeping data protected from corruption and unauthorised access (e.g. hackers). Data security helps protect personal data, and thus the privacy of end users. It also ensures data is 100% accurate and reliable, and available whenever needed by those authorised to access that data. Today, data security is the talk of the town as it forms a large part of the new General Data Protection Regulation by the EU.
Data security vs. data privacy
The terms data security and data privacy have two different meanings. Data privacy is the appropriate use of data, meaning that it should be used according to the agreed purposes for which it was collected, and in full compliance with the law. For example, there have been cases in the past of companies selling or disclosing customer information to parties without getting approval by the owner of this data.
Teamleader’s data security measures
Below are some key measures we’re taking to make our data secure so that everyone can rest assured their data is safe and we’re applying the latest best practices in data protection.
1. All data is encrypted with SSL
First and foremost, the most important data security measure is encryption. This basically means data is converted into a secret code. It securely protects data you don’t want anyone else to have access to. To read an encrypted file, you need a secret key or password that enables you to decrypt it.
At Teamleader, only a very select group of people have access to this key. However, this doesn’t grant us access to passwords as we use irreversible password encryption (to learn more, see point 5 in this summary about password protection). This is encryption for data at rest or data in transit, meaning that it’s a security measure for data stored physically in a digital database.
However, we also make sure we encrypt data that’s being transferred over the internet or data in motion through a secure SSL connection: SSL or Secure Sockets Layer creates an encrypted connection and protects sensitive information as it travels across the internet. Teamleader holds an SSL certificate - which entails that information becomes unreadable to everyone except for the server you are sending the information to.
2. Ethical hackers
While it might seem strange to use a term like ‘hacker’ in a data security context, ethical hacking is not something to fear. Teamleader partners up with people who hack into our network to test and evaluate its security and proactively detect flaws in our system. This happens on a continuous basis, before anyone with malicious intent can ever get harm done.
3. GDPR measures
On May 25th 2018, every European country will be bound by the same privacy rules to comply with the General Data Protection Regulation from the EU. We’re currently taking plenty of measures to guarantee the highest level of protection for our users. Below are just a few:
- Email opt-in sign for contacts: companies will need to ask people (i.e. everyone with the exception of customers) to opt in for commercial emails, instead of sending it to all your contacts. Therefore, each contact for which you have an email opt-in will now have a checkbox sign to make this visible right away.
- We will also be taking measures to protect your customers’ data. The ability to permanently delete a contact is a really key one: in the past, users were able to restore data in Teamleader. Users will now be asked if they want to soft- or hard-delete data as, in accordance with the GDPR, customers have the right to ask companies to delete their data.
4. Security documentation
Teamleader also officially documents its data security measures and is currently updating it to make sure they’re in line with the GDPR. When the regulation will come into effect May 25th 2018, we will have these documents to show for it:
- Internal incident management procedure to detect and alert security breaches and determine which steps need to be taken in case of a data breach.
- TOM or the Technical and Organisational Data Security Measures: lists all data protection measures and is implemented as part of the data processing agreement.
- Privacy declaration makes reference to the GDPR and contains information about: which personal data is collected, how it is collected, the purpose of processing, the data retention period, the rights of the data subject, our complaint procedure, data transfer process to third parties, and so on.
- Data processing agreement contains the arrangements between Teamleader and its customers about processing customer data (i.e. data entered into Teamleader by our customers) in accordance with the instructions by the customer/controller. In case Teamleader appeals on sub-processors, we will ensure they’re at least bound by the same GDPR obligations as Teamleader.
5. Strict, state-of-the-art password rules
Security is of course defined by the strength of your password. We recommend users to choose a strong and preferably random password to protect your account: there are plenty of resources on the internet to inform you what a secure password looks like.
What’s more, we also apply key password management best practices:
- Multi-factor authentication: this extra layer of security requires not just a password and username, but a piece of information or physical token. In our case, we ask users to enter a 6-figure code they’ll receive from their smartphone. Combining these two elements makes it harder for intruders to gain access.
- We never save users’ password. Instead we use irreversible encryption which immediately transforms a password into a form from which the original password can never be recovered by third parties.
- When logging in, users only have five attempts to enter a password. After these five attempts, users (or anyone maliciously trying to access a user’s account) will be locked out for five minutes.
6. Customer data is stored on European servers
Teamleader’s web applications, communications, database servers and all our customer data is stored and located on European servers in Ireland and operated by Amazon Web Services, Inc, and is not processed or stored on US servers at any point. Therefore it falls under the European data protection law. In order to be compliant with the standards and obligations as set forth in the GDPR, Teamleader has signed the ‘AWS Data Processing Addendum’. What’s more, Amazon is ISO 27001 certified which is an international standard for information security management system and is managed in line with international best practice and business objectives.
In the AWS data center, data is stored on encrypted hard drives. Plus, these centers are continuously innovated to protect them from man-made and natural risks, and undergo third-party audits to confirm security and compliance. The most highly-regulated organisations in the world, such as NASA, trust AWS every single day.
Data security, privacy and legal compliance for both our users and our customers have always been a key priority for Teamleader. We have taken plenty of proactive measures in order to safeguard the safety of our customers and all other stakeholders by making sure our data is saved and processed in a very secure way.