TopTierTools Logo

TopTierTools

Login

Security and Compliance

Last updated: 09 January 2025

SecurityContact: https://github.com/TopTierTools/issues/security/advisories

CCPAGDPRHIPAAPIPEDASingapore PDPAHong Kong PDPO

As a company committed to privacy and data protection, we comply with the following standards and regulations: PDPO, CCPA, GDPR, PIPEDA, Singapore PDPA, and HIPAA. These frameworks emphasize our dedication to protecting sensitive data and ensuring the trust and confidence of our clients.

How has this been accomplished?

Our organization ensures compliance through a combination of rigorous internal processes, training, and automation tools. We regularly assess our practices and implement improvements to maintain alignment with global privacy standards.

By utilizing compliance automation platforms, we monitor and assess our security controls continuously, ensuring that we remain up-to-date with regulatory changes and industry best practices. This approach gives us the confidence to provide a secure environment for our clients and stakeholders.

What happens if something becomes out of compliance?

If compliance issues arise, our monitoring systems will detect and alert us immediately. We take prompt corrective actions to address gaps and restore compliance quickly. This proactive approach ensures the ongoing protection of sensitive information and helps maintain our reputation as a trustworthy organization.

Procedures & Controls

Secure Policies & Procedures

We maintain documented security policies and procedures to safeguard customer data and ensure effective incident response. These policies are reviewed and updated regularly.

Vulnerability & Penetration Testing

We perform regular vulnerability scans and penetration tests to identify potential security weaknesses. External penetration testing is conducted annually by third-party experts, with results reviewed and remediated promptly.

Data Encryption

All sensitive data is encrypted both in transit and at rest, ensuring that unauthorized access is prevented. This protects customer data from interception and misuse.

Multi-factor Authentication

Multi-factor authentication (MFA) is implemented across our systems to prevent unauthorized access. This adds an extra layer of security for all users and administrators.

Secure Development Lifecycle

We follow a secure development lifecycle, ensuring that all code changes undergo peer review, automated security testing, and end-to-end testing. Branch protection policies prevent unauthorized code deployments.

Monitoring

Our systems are continuously monitored for unauthorized access, unusual activity, and potential threats. Logs are regularly reviewed to detect and respond to incidents in real-time.

Employee Training & Awareness

We conduct regular training programs to educate employees about data protection and security best practices. Training is mandatory for new hires and repeated annually for all staff.

Access Controls & Background Checks

Access to systems and data is granted on a need-to-know basis. Background checks are conducted for all new hires, and access levels are reviewed quarterly to ensure minimal privilege principles are followed.

Third-party Audits and Assessments

We engage independent auditors to validate the effectiveness of our security controls. These assessments provide assurance to our customers that their data is handled securely.

Intrusion Detection

Intrusion detection systems (IDS) are in place to monitor for potential threats. Early detection allows us to respond quickly and mitigate risks effectively.

Vulnerability Disclosure

We prioritize the security of our systems and welcome reports of potential vulnerabilities. If you discover a vulnerability, we encourage you to report it to us promptly.

Out of scope vulnerabilities:

  • Clickjacking.
  • Cross-Site Request Forgery (CSRF).
  • Attacks requiring MITM or physical access to a user's device.
  • Content spoofing without an attack vector.
  • Missing DNSSEC, CAA, CSP headers.
  • Lack of secure or HTTP-only flags on non-sensitive cookies.
  • Dead links or DNS-related issues.

Reporting Guidelines:

  • Do not exploit vulnerabilities.
  • Provide detailed steps to reproduce the issue.
  • Avoid running automated scanners without prior approval.
  • Do not share vulnerability details publicly before resolution.

You can report vulnerabilities here: https://github.com/TopTierTools/issues/security/advisories.

We handle all reports with strict confidentiality and work towards resolving issues promptly. If acknowledged, we will credit the discoverer unless otherwise requested.

Commitment to Privacy Compliance

Our dedication to privacy compliance ensures that our customers' data is handled with the highest levels of care and security. By adhering to global standards, we continue to build trust with our clients and maintain a secure environment for their data.