Security
Last Update: 3 January 2024
troweb has implemented various technical and organizational measures to protect the cloud-based services offered at https://troweb.com. This page outlines the details of our existing security protocols.
Authentication
Ensuring the security of user credentials is a top priority for troweb, and we employ robust measures in this regard. Our approach involves utilizing TLS-encrypted requests to transmit authentication credentials securely to our authentication service. Furthermore, the passwords stored on troweb undergo hashing with random salt using industry-standard techniques.
In addition to secure communication practices, users must follow specific password requirements:
- Passwords must be a minimum of 8 characters in length and contain at least one special character.
- If incorrect usernames or passwords are entered multiple times, the account will be temporarily locked as a preventive measure against brute-force attacks. The duration of the lockout is designed to block unauthorized access attempts while still allowing legitimate users to access the application within a reasonable timeframe.
- Email-based password reset links are sent only to a user's pre-registered email address.
For private organizations, troweb mandates authentication for accessing all pages and APIs. This approach ensures that all information within these organizations remains protected and accessible only to authenticated users.
Segregation Controls
1. Data Segregation
troweb organizations are designed to logically separate your data from other customers. troweb's application logic is designed to enforce this segmentation by permitting each end user access only to organizations that the user has been granted access to.
2. Access Management
You can give different levels of permissions to users within your troweb organization. These user permission levels are especially useful when there are multiple people working on the same project. The items you store in troweb can be structured hierarchically, allowing you to define access management policies on any part of this hierarchal structure.
Network and Transmission Controls
troweb monitors and updates its communication technologies periodically with the goal of providing network security.
By default, all communications from your end users and your visitors with troweb are encrypted using industry-standard communication encryption technology. troweb currently uses Transport Layer Security (TLS), with regular updates to cipher suites and configurations.
Data Confidentiality
Access to your visitor and account data stored on troweb is restricted to our employees. troweb currently requires the use of strong passwords for all employees to access production servers. the access is also restricted by IP address.
Security in Engineering
The software we develop for troweb is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. We regularly conduct:
- Peer review of all code prior to being pushed to production
- Manual source code analysis on security-sensitive areas of code
Availability Controls
The infrastructure for troweb is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
- State of the art cloud providers: We use Amazon Web Services, which is trusted by thousands of businesses, to store and serve their data and services.
- Backups: We perform daily backups of data stored on troweb, which are tested regularly.
- Incident Response: troweb has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
Physical Security
troweb leverages top-tier cloud platforms (currently Amazon Web Services) to host its production systems. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures.
Additional Terms
Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check this page often to view our latest measures. As always, the use of troweb is subject to the terms, conditions and disclaimers in our Terms of Service.