Templafy

Yes, Templafy conducts external penetration testing at least once per calendar year. These tests are performed by internationally recognized third-party companies and cover both internal and external networks, as well as authenticated application layers. The tests include probing for weaknesses in network perimeters, infrastructure, and technical countermeasures.

Yes, customers can request to conduct their own penetration tests. These requests should be sent to security@templafy.com and are subject to conditions before the tests can be carried out.

Templafy backs up tenant configuration data and binary data daily in SQL. For Templafy Hive, there is a 90-day long-term backup retention with geo-redundancy. Backups are encrypted using AES 256 encryption, and access is restricted to authorized personnel with multi-factor authentication. Backups are retained for 90 days in SQL, and soft-delete is enabled for blob storage, removing data 30 days after deletion.

Templafy has Disaster Recovery plans covering malicious incidents, accidental incidents, and unavailability incidents. These plans are reviewed and updated annually. Disaster recovery tests are conducted annually, including failing over servers and restoring backups. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the Templafy Platform are both 24 hours.

Data is encrypted at rest using AES 256 and in transit using TLS 1.2. Encryption keys for data at rest are managed by Azure, while certificates for data in transit are managed using Azure Key Vault. Templafy uses Role-Based Access Control and supports SSO, SCIM, and activity logs for monitoring user and administrator access.

Templafy has a defined cybersecurity incident management process. In the event of a security incident, Templafy will notify affected customers within 36 hours, providing details about the incident and the type of personal information concerned. Templafy will also take steps to mitigate the effects of the incident and cooperate with customers on disclosures and investigative measures.

Customer data is stored in Microsoft Azure data centers. Customers can select a region for data storage, and once selected, the data storage location cannot be moved. The available regions depend on the Templafy service being used, such as Templafy One, Templafy Hive, or the Data Analytics Platform.

All application code changes are tested, peer-reviewed, and approved before implementation. Changes are deployed in separate Azure Active Directory and Azure Subscriptions for production and non-production environments. Testing includes functionality unit testing, integration testing, smoke tests, manual regression testing, and load testing. Security testing is also conducted as part of the vulnerability management process.