Security

In our commitment to security we employ a wide range of industry standards and best practices throughout all stages of software development, system administration, and platform operations.

We understand that security is an ongoing and ever-changing field where nothing can be taken for granted. Given the high stakes, we're highly motivated by self-preservation, and the following security overview covers the measures we take to fortify the Tassel Turner platform and meet the security demands of our users.

Encryption

Tassel Turner employs strong encryption methods and key management procedures at all levels of the platform, ensuring that data remains encrypted in transit, at work, and while at rest.

• All database content is encrypted using the industry standard AES-256 encryption algorithm, as well as backups of the data or other snapshots such as for migrations.
• All connections to the database servers are forced over TLS. All website traffic is sent exclusively over HTTPS transport layer security (TLS) connections using 256-bit SSL certificates issued by AWS.
• Log files collected from application and database servers, as well as system and infrastructure logs, are encrypted using the industry standard AES-256 encryption algorithm.
• All uploaded and user-generated files are encrypted for storage using the industry standard AES-256 encryption algorithm.
• User passwords are stored hashed and salted using the bcrypt encryption algorithm.

Cloud Security

Tassel Turner is fully hosted with Amazon Web Services to gain the compound benefits of limiting security concerns to a centralized vendor. These include the ability to manage configurations through uniform policies, granular IAM controls for least privilege access, end-to-end inspection of configuration and system activity, and observable data flows through managed services.

We also benefit from the physical security of a trusted cloud vendor where Tassel Turner personnel neither have nor require physical access to data centers, servers, network equipment, or storage. Amazon’s data center operations have been accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).

Secure Software Development Lifecycle

We follow a secure software development lifecycle to ensure security considerations are accounted for beginning at the earliest design stages through development and to live operations.

This entails implementing security requirements and performing security reviews of new features and new libraries added to the application stack. We use a variety of static analysis tools to scan both proprietary code and 3rd party libraries for vulnerabilities and risks like unvalidated input and SQL injection.

Our automated test suite meets C1 and C2 levels of code coverage to prevent regressions and highlight any gaps in test scenarios. And we sustain a secure runtime environment through dynamic analysis tools and a controlled release process.

Vulnerability Management

Security is a moving target that requires continual updates to infrastructure and systems to take advantage of new security capabilities and address common vulnerabilities and exposures (CVE).

Tassel Turner is designed to resolve risks and threats without customer impact or involvement. Platform services are built as part of a continuous delivery pipeline that makes it easy to apply the latest libraries and patches, and upgrade production servers and software. To ensure reliable updates we rely on an extensive suite of tests and checks that occur as part of the build process, along with the ability to rollback in the event of regression issues.

Incident Management

We maintain security incident management procedures, and act without undue delay to notify impacted parties of any data breach or security compromise. Following an incident we will provide a transparent post-incident writeup including a root cause analysis and countermeasures taken to rectify the issue.

Organizational Security

We impose a variety of organizational controls to secure our staff and operations.

• All company computers and devices are identified and tracked through an asset management system, and are configured to install the latest updates to ensure the most secure versions of software are used.
• All personnel are required to use 2FA when available to protect any system accounts.
• All computers and devices are required to install antivirus and malware protection, use a password manager, encrypt any potentially sensitive data, and automatically screen-lock.
• All personnel are US citizens and subject to reference and background checks.
• All personnel are required to provide written acknowledgement of their role(s) and responsibilities in regard to security, privacy, and data governance.
• All personnel receive continual training on a range of privacy and security issues such as social engineering awareness and passwordless authentication.
• Departing personnel undergo a comprehensive offboarding process to ensure any and all access to organizational data and systems is categorically revoked.

Responsible Disclosure

We welcome and indemnify any responsible disclosures from Tassel Turner users or industry security researchers, and are committed to acting on your feedback to make our platform safer.

If you believe you have discovered a vulnerability, please don’t hesitate to contact us at info@bellwethersystems.com and provide as many details as possible to assist our team to confirm and investigate your report. Once you submit a report, we promise to do the following.

• We will review your report and get back to you as soon as we can, usually within 72 hours.
• We will assume good faith disclosure and not pursue legal action if you do not maliciously exploit the vulnerability
• We will handle your report with strict confidentiality
• We will keep you informed of any progress and determinations of our investigation
• We will post an incident update once the issue is addressed, and (if you wish) publicly credit you for the findings