Twine Labs - Security
Protecting our clients’ sensitive employee information is extremely important to us. We know you have questions about how we’re protecting that data, so what follows is frequently requested information about Twine’s information security.
If you have additional questions about Twine's security program, please reach out to firstname.lastname@example.org - we’d love to chat.
Twine’s data infrastructure uses Amazon Web Services, a highly secure and highly available set of services with state-of-the-art security. Our data centers have built-in network and application firewalls and redundancy to ensure high availability. (Amazon’s data centers are widely recognized for both physical and network security - please refer to the AWS security page for more detailed information.)
At the application level, Twine uses a multi-tenant architecture that provides efficient and scalable solutions for its clients while maintaining maximum data security and isolation. Client data can only be created, managed, and accessed by authorized client representatives. Only HR administrators and others approved by the client company are able to access data for their company. This access control is enforced using role-based permissioning as well as application-level and database-level checks.
At the network level, firewalls are used to restrict access to systems from external networks and between systems internally.
Twine regularly conducts internal penetration testing based on OWASP guidelines as well as third-party assessments. Our most recent assessment was conducted by ImmuniWeb in May 2018.
Users and Access Control
Like all data-at-rest, user passwords are encrypted with 256-bit Advanced Encryption Standard (AES-256). Passwords are never stored in plain text.
Access to our systems and your data is restricted only to those Twine employees who need access in order to provide you with support. All our employees undergo periodic security training, and we monitor and log access to customer data.
At Twine, we believe security is the responsibility of everyone who works for us. We train our employees so that they can identify security risks and empower them to take action to prevent bad things from happening.
Privacy and Data Protection
You can view our data protection policy for the finer details. The bottom line is: we believe in the confidentiality of your HR information. We retain only the data we need to power our people analytics, and we store it securely.
Twine’s Incident Response Policy includes notifying clients of unauthorized access if detected. All employees of Twine are trained to refer to it in case of suspicious activity.