Treno Security Policies

EFFECTIVE DATE: JANUARY 1, 2020

At Treno we understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment. 

 

How do we secure your data and ensure its availability?

Our systems are hosted on a Google Cloud Platform region, with plans to implement in multiple GCP regions soon. This allows us to provide a reliable service and keeps your data available whenever you need it. We have also established a disaster recovery site on GCP as well.

 

These Google Cloud Platform data centers employ leading physical and environmental security measures, resulting in highly resilient infrastructure. For more information about their security practices, see below:

 

https://cloud.google.com/security/

 

Uptime Over 99.9%

Since launch, Treno has consistently met or exceeded a 99.9% uptime, ensuring customers can the analytics data about their software development projects and teams without interruption.

Application Security

Treno implements a security-oriented design in multiple layers, one of which is the application layer. The Treno application is developed by Treno full-time employees according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.

 

Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing which addresses authorization aspects and more. Additionally, Treno developers go through periodic security training to keep them up-to-date with secure development best practices.

Infrastructure Security

Another layer of security is the infrastructure. As stated, Treno is hosted on GCP and soon will be across multiple GCP regions for redundancy. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:

 

  • Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources

  • A web application firewall (WAF) for content-based dynamic attack blocking

  • DDoS mitigation and rate limiting

  • NIDS sensors for early attack detection

  • Advanced routing configuration

  • Comprehensive logging of network traffic, both internal and edge

Data Encryption

Treno encrypts all data both in transit and at rest:

  • Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum

  • User data is encrypted at rest across our infrastructure using AES-256 or better

  • Credentials are hashed and salted using a modern hash function

External Security Audits and Penetration Tests

Independent third-party assessments are crucial in order to get an accurate, unbiased understanding of your security posture. Treno conducts penetration tests on an annual basis both in the application and in the infrastructure level using well-known, independent auditors.  Our next penetration test is scheduled for Q4 2021.

 

Additionally, Treno is in process to obtain an SOC 2 Type I audit and following this we will start the process for SOC 2 Type II certification.  Current status of our SOC 2 efforts is available upon request.

Physical Security

Treno is a cloud-based company, with no part of our infrastructure retained on-premise. We maintain physical security in our physical office location including access control by personal cards, CCTV and alarm systems.

Treno’s data centers are hosted on Google Cloud Platform infrastructure, where leading physical security measures are employed.

Disaster Recovery and Backups

Treno is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every six hours. All backups are encrypted, where they are retained for 20 days.

 

Our Disaster Recovery Plan is tested at least once a year to assess its effectiveness and to keep employees aligned with their responsibilities in case of a service interruption.

 

Security Awareness and Training

Treno understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on a bi-annual basis. Additionally, all employees must sign our Acceptable Use Policy.

 

Access Control

We know the data you upload to Treno is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.

 

Need to Know and Least Privilege

Only a limited set of employees have access to the data stored in our databases. There are strict security policies for employee access, all security events are logged and monitored, and our authentication methods and data are strictly regulated. Access to production data requires multi-factor authentication and a one-time password. 

 

We limit access to customer data to employees with a job-related need, and require all these staff members to sign a confidentiality agreement. Accessing customer data is only done on an as-needed basis, and only when approved by the customer (i.e. as part of a support incident) via a support token, or under authorization from senior management and security for the purposes of providing support, maintenance, or improving service quality.

 

Is Treno GDPR compliant?

Yes. Treno is compliant to the extent required and will continue to comply on an ongoing basis. 

 

Where does Treno host its customer data? and Is Treno able to restrict data hosting and processing within the EU? 

Treno hosts its customer data in the Google Cloud Platform (GCP) data centers in the US.  We currently do not have any customers from the EU and currently do not have the on-demand ability to restrict data hosting and processing to the EU.

 

However, if a new EU customer wishes to have their data processed within the EU it must be requested BEFORE onboarding.  If approved by Treno, we will create a unique account for that customer. The data connected to that account will be stored in an EU Google Cloud Platform data center in Germany and never backed up or replicated to a server elsewhere. Please note that this option is not readily available and may not be available upon request --- it is at the discretion of Treno if we wish to accept this EU customer.

 

Additionally, as part of our GDPR compliance, we offer a Data Processing Addendum (“DPA”) in which we commit to protect your data in accordance with the GDPR. Review of this Treno DPA is available upon request.

 

Questions?

If you have any security related questions and concerns, please contact your sales representative or contact us at info@treno.io