Security Practices

The security of your data is our first priority.

We aim to be as clear and open as we can about the way we handle security. It’s our commitment to privacy and inspiring trust that directs the decisions we make on a daily basis.

Accessing your data

We do not store a copy of your database. Your data stays safely and securely in your own database.

We send SQL over the wire and retrieve only the returned results (“Customer Data”).

We store these results for up to 48 hours and then permanently delete them. This helps to protect your database from too much traffic.

Your SSH or database credentials are kept strictly private and are securely encrypted using industry standard 128-bit AES Encryption. All connections to your database use a read-only transaction. Trevor will never write to your database or update / alter your data in any way.

Customer Data is encrypted at rest and when sent between services. Due to the nature of the Service we provide, Customer Data when presented to users is not encrypted beyond your own encryption settings.

All data transfers use SSL connections, which protect against eavesdropping and man-in-the-middle attacks.

Confidentiality

We place strict controls over our team’s access to your Customer Data, as more specifically detailed in your agreement with Trevor covering the use of the Trevor.io services.

The operation of the Trevor services requires that some team members have access to the systems which store and process Customer Data. For example, in order to diagnose a problem we may need to access your Customer Data. We may also request to access your Customer Data in response to a support request. In such cases, we require written permission and will not access your Customer Data before it is given.

The permissions required to access Customer Data are provided only to a limited number of senior members of the Trevor team, who have received relevant training in regards to data security and privacy. These team members are prohibited from using these permissions to access Customer Data unless explicitly given permission by the customer to do so.

We have technical controls to ensure that all access to Customer Data is logged.

Access and Authentication

As a modern cloud platform, we use various third party systems (for example, Heroku). You can see a full list of subprocessors here.

Access to specific systems is controlled, monitored, and reviewed by senior members of the Trevor team. It is provided to team members on a need-to-use basis only, meaning that only members of our team who specifically require access to a given system to perform their jobs have access to it.

We use Google Sign-in, a secure authentication-system, to sign in to the systems we use.

We require that all members of our team use 2-Step-Verification to keep their account secure. We do not allow account sharing under any circumstances.

When signing in from new browsers, devices, or locations, we receive security alerts via email. We track and review devices that are currently signed in or have been active in the last 28 days.

We can revoke a specific user’s access to our systems at any time (for example, if a team member leaves).

Hardware, Devices, and Storage

We place strict controls over the hardware we use, including laptops and other devices.

All company hardware, as well as personal hardware used for company purposes, and content must be encrypted at rest and protected by up to date anti-virus software. Laptops must be secured by a confidential password and locked when unattended. Old devices must be securely formatted before disposal.

Our servers are provided by Heroku and AWS. Both providers continually manage risk and undergo recurring assessments to ensure compliance with industry standards. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Logging

We maintain an extensive, centralized logging environment in our production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Trevor services.

Incident Management and Response

In the event of a security breach, Trevor will promptly notify you of any unauthorized access to your Customer Data, in accordance with the requirements of the EU General Data Protection Regulation (GDPR).

Contact

If you have any questions, please don’t hesitate to get in contact via team@trevor.io.