Data Storage and Security Measures
30 June 2020 







Knowledge and resources:  Turn.io will ensure that it has the appropriate knowledge to Process Customer Data and has the necessary resources to implement the technical and organisational measures required under this Policy.

Security of Customer Data. Turn.io will implement and maintain the following technical and organisational measures when Processing Customer Data and by signing the Data Processing Addendum (“DPA”) and Customer Contract you have confirmed that you agree with and are satisfied that:

(a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of Data Subjects; and
(b) these take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data when it is transmitted, stored or otherwise Processed.

Data Protection Laws, Personal Information, Customer Data, Processing, Data Subject (and any other capitalised term) are all defined as per the DPA and the Customer Contract.

We take the security of Customer Data seriously, but no system is 100% secure. So while we will do everything reasonably necessary to secure the information we cannot rule out unauthorized access, hacking, loss of information or a data breach.

Please let us know right away if you think that your account has been compromised or misused by emailing support@turn.io .

Compliance

The following security-related audits and certifications are applicable to the Turn.io services:

Service Organization Control (SOC) Reports
The environment that hosts the Turn.io services maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website, AWS Compliance website, Google Security website, and Google Compliance website.

ISO27001
We are in the process of implementing the ISO27001 Information Security Management standard.  Clients will be notified when our ISO27001 certification is available.

Compliance framework
We have internal policies and procedures that are kept under review, a designated privacy officer and access to external specialist data protection advisers to support our compliance.

Personnel 
Turn.io conducts background checks on all employees before employment, and relevant employees receive privacy and security training during onboarding as well as on an ongoing basis.

Firewalls
Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.

Data Encryption in transit and at rest
WhatsApp messages are end-to-end encrypted between Turn and the user’s device, and secured over HTTPS from your browser or application to Turn.

Data in transit is always encrypted to a minimum standard of 256 bits. The Turn.io services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.

We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.

Customer Data is encrypted at rest.