Security at Thirdfort

Users of the Thirdfort Platform are authenticated via two-factor authentication. This requires a user to verify their identity in two unique ways before they are granted access to the system. 

Each user can log in via one of the following options: 

• Provide a one-time password using an authenticator app. This flow will ask the user to enter a one-time password from the authentication app or their choice.

• Provide a one-time password via a phone message. This flow will ask the user to receive an SMS or an automated voice message on their registered phone.

This provides an extra layer of protection for user accounts and decreases the risk of unauthorised access and system breaches.

Our employees log in to the Thirdfort Platform using an account that is subject to strict security controls, including robust requirements around password complexity and multi-factor authentication. Only staff that strictly need access are granted it, and only at the minimum level required.

We have policies and technologies that ensure credentials are securely managed. We also ensure:

• all devices are encrypted, meaning all data on the device cannot be extracted without a cryptographic key; and

• common attacks, such as the use of boot mode, are prevented from being used to access the data. 

We grant access to systems and accounts in line with the principle of least privilege. Such access is removed on notice of termination or the employees’ last day as part of our standard off-boarding process.

All information regarding the collection and processing of PII at Thirdfort is set out in our Privacy Policy. 

We host our technical infrastructure and our databases on Google Cloud Platform ("GCP"). This means we inherit the robust security structure and mechanisms that are maintained by GCP. You can read about Google’s compliance infrastructure here.

Data is stored in our database services which are managed by GCP. We have three data centres located at different physical sites. 

We do not permit data storage on local machines.

We use service providers which are located outside of the UK and European Union. Where this is the case, we ensure adequate contractual provisions are in place between us and the service provider, including arranging for UK GDPR compliant transfer mechanisms to be in place. 

Data in transit is encrypted using at least TLS 1.2. 

All data is encrypted at rest following industry best practices and leveraging ciphers that guarantee a level of protection equivalent to AES-256 or stronger.

All of our web applications enforce the use of HTTPS.

All database data is encrypted and backups are well protected.

We employ a variety of measures to segregate data across our IT estate. Our software architecture ensures the separation of data and the security of information between different customers and application components. 

We perform routine vulnerability scanning of our assets and firewalls are used to protect data and systems from the Internet and other untrusted networks. We monitor our security logs frequently to detect malicious activity. 

We conduct penetration testing annually, with any remediation actions identified built into our Engineering team’s workload in accordance with priority and urgency.

We currently store all our customer data on GCP and leverage the mechanisms provided by Google to ensure the integrity of the data. This allows us to provide geo-redundancy for 99.9% of newly written objects within an hour. 

All of our employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions.