Data Storage and Security Measures
30 June 2020 







Knowledge and resources:  Turn.io will ensure that it has the appropriate knowledge to Process Customer Data and has the necessary resources to implement the technical and organisational measures required under this Policy.

Security of Customer Data. Turn.io will implement and maintain the following technical and organisational measures when Processing Customer Data and by signing the Data Processing Addendum (“DPA”) and Customer Contract you have confirmed that you agree with and are satisfied that:

(a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of Data Subjects; and
(b) these take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data when it is transmitted, stored or otherwise Processed.

Data Protection Laws, Personal Information, Customer Data, Processing, Data Subject (and any other capitalised term) are all defined as per the DPA and the Customer Contract.

We take the security of Customer Data seriously, but no system is 100% secure. So while we will do everything reasonably necessary to secure the information we cannot rule out unauthorized access, hacking, loss of information or a data breach.

Please let us know right away if you think that your account has been compromised or misused by emailing support@turn.io .

Compliance

The following security-related audits and certifications are applicable to the Turn.io services:

Service Organization Control (SOC) Reports
The environment that hosts the Turn.io services maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website, AWS Compliance website, Google Security website, and Google Compliance website.

ISO27001
We are in the process of implementing the ISO27001 Information Security Management standard.  Clients will be notified when our ISO27001 certification is available.

Compliance framework
We have internal policies and procedures that are kept under review, a designated privacy officer and access to external specialist data protection advisers to support our compliance.

Personnel 
Turn.io conducts background checks on all employees before employment, and relevant employees receive privacy and security training during onboarding as well as on an ongoing basis.

Firewalls
Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.

Data Encryption in transit and at rest
WhatsApp messages are end-to-end encrypted between Turn and the user’s device, and secured over HTTPS from your browser or application to Turn.

Data in transit is always encrypted to a minimum standard of 256 bits. The Turn.io services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.

We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.

Customer Data is encrypted at rest.

Access controls
Access to the Turn.io services is authenticated using Google accounts, for which Google provides Two Factor Authentication (2FA).

In addition, the Turn.io services provide optional Two Factor Authentication for user access, to ensure that 2FA is enforced.

To protect the confidentiality of your Personal Information and your Customer Data, you must keep your password confidential and not disclose it to any other person.

Data partitioning
Each client’s data is logically separated from that of other clients in our databases. A private cluster deployment is available on request for complete separation in separate cloud accounts.

Access limitations
Customer Data is only accessible by a small number of personnel in our development team on a need to know basis.

Resilience
Our infrastructure is designed to be resilient. Our main database is highly available such that, if one server goes offline, the other servers will pick up the work and contain replica data to ensure there is no downtime.
All servers that serve our application are load balanced and can distribute load/requests to multiple servers.

Monitoring
We perform daily uptime scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts which are kept and managed in our private version control system. All applications are machine monitored 24/7 and generate automated alerts at configured thresholds for alerting and telephonic escalating.

Security testing
Our entire application is subject to penetration testing by external vendors to try to break, gain unsolicited access to, and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform.

We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track these with a combination of active checks. Team members are alerted if an expected behaviour has not executed as expected.

Critical events
Our code is written to log any critical events for our developers to address.

Backups
Our databases are backed up continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in them ready to swap over should the need arise.

Multiple snapshots of the entire database are taken daily and they are stored on a separate server from the one that holds live data. From these various back-ups, we are able to restore the entire database in the event of a physical or technical incident in a timely manner.
Full daily database backups are retained for seven days for every database.

Disaster recovery
Personal Information including Customer Data is stored redundantly in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data is automatically backed up nightly. We maintain a disaster recovery plan to test our disaster recovery which is tested at least annually.

Secure hosting
We currently use leading third parties to provide hosting services. They have all been vetted and authorised by a designated approver within Turn.io as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your Customer Data
We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. 

Access Logging
Detailed access logs are available to hosting administrators.

Logging

Turn.io maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Turn.io services.

Audit trails
Our software normally maintains a record of many of your users’ activities when using our application such as which user creates or edits content. You can view these audit logs through the application.

Confidentiality

We place strict controls over our personnel’s access to Customer Data via the Services, as more specifically defined in your Customer Agreement with Turn.io covering the use of the Services. The operation of the Services requires that some personnel have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Turn.io services, we may need to access Customer Data. These personnel are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.

Data Retention


Availability
We understand that you rely on the Turn.io services to work. We're committed to making Turn.io a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers. Our operations team staffs an around-the-clock alerting and escalation system to quickly resolve unexpected incidents.

Network Protection

In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with the hosting provider’s security groups.

External Security Audits

We contract with respected external security firms who perform regular audits of the Turn.io services to verify that our security practices are sound and to monitor the Turn.io services for new vulnerabilities discovered by the security research community. In addition to periodic and targeted audits of the Turn.io services and features, we also employ the use of continuous hybrid automated scanning of our web platform.

Product Security Practices

New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. 

Incident Management, Data Breaches & Response
In the event of a security breach, Turn.io will promptly notify you of any unauthorized access to your Customer Data. Turn.io has incident management policies and procedures in place to handle such an event.

Data breach
Turn.io will maintain a Data Breach incident response plan that documents the procedures to be followed and contacts to be notified in the event of a Data Breach. In the event Turn.io suffers a Data Breach as a result of or in connection with the performance of its rights or obligations under the Contract, Turn.io will notify you of all material facts without undue delay after becoming aware of the Data Breach.

Data breach management
Turn.io will cooperate and assist you in handling the Data Breach referred to in paragraph 14, by investigating the Data Breach, facilitating meetings with those involved in the data breach and making available all relevant records, logs, files and data, reports including those regarding the facts relating to the Data Breach, its effects and the remedial action taken or to be taken. If the Data Breach is not attributable to Turn.io or any of its Subprocessors, we reserve the right to charge for the assistance at our then prevailing rate.

Confidentiality in respect of Data Breaches
Except as required by Data Protection Laws, neither party will do, say or report anything to any person that may affect the other’s reputation without the approval of such other party (such approval not to be unreasonably withheld or delayed).

Data Protection Impact Assessments: 
Data protection impact assessments. Turn.io will cooperate, and provide reasonable assistance to you with any data protection impact assessment that you are required by the Data Protection Laws to carry out in connection with Turn.io’s Processing of Customer Data. If such cooperation or assistance requires Turn.io or any Subprocessor to provide any additional professional services, Turn.io will notify you of the proposed charges and no work will be commenced until the parties have agreed the charges and the scope of work in writing.

Returning or Deleting Data
Returning Customer Data on termination or expiry. You are able to export Customer Data at any time during the term of our contract upon request.  Information about the export capabilities of the Turn.io services can be found at https://whatsapp.turn.io/docs/index.html#message-retrieval-api and https://whatsapp.turn.io/docs/index.html#label-retrieval-api

After expiry (or termination if that is earlier) we will delete Customer Data (normally within one month) but will retain the shortened links you have created using our code so that your users are redirected to the correct location.