Security at Terramate

Security is a top priority at Terramate, we live it in our day-to-day activities.

Our Senior Management team is accountable for security and ensures that security capabilities and competence exist across all levels of the business. We follow a holistic and collaborative approach to guarantee the availability, confidentiality, and integrity of your data. On this page, you can read about the various policies and security measures taken by Terramate to secure data hosted on our platform from unauthorized access.

How we protect your data

Our infrastructure runs purely on Google Cloud Platform (GCP), which delivers infrastructure as a service with top security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your data are certified for compliance with the ISO 27001 standard.

Data storage and encryption at rest

Your data is encrypted at rest in Google Storage, Google Cloud SQL instances and block devices used by GCP Compute instances. AES256 encryption is used by default via GCP encryption services, while key management is handled by GCP CKM. This ensures all data is preserved and safe from prying eyes. We do not keep user passwords, as account management is handled via GCP Identity Platform.

Encryption in transit

All communication between you, your services and Terramate, including your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerability found are fixed based our specifications in an internal SLA.

Backups

All our data, including Cloud Storage and database daily backups, is replicated between multiple zones thanks to the use of GCP. Backup data is encrypted at rest using AES-256 encryption with keys provided by GCP CKM.

Access to data

Access to your data is extremely restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, are able to help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored.

Physical security

We are a cloud native service. As such, we do not have data centers. Physical security to our servers and to your data is managed by GCP security certifications. Physical security at our offices is also governed by our security program.

Security groups

Networking in the cloud is very different from the standard data center. All communications to and from our servers are controlled by tight security groups, managed in GCP.

Web Application Firewall

Applications available on the internet are constantly under threat of attacks. One of the protections implemented to protect our application endpoints is a Web Application Firewall delivered by GCP Cloud Armor.

Threat detection

Provided by Google Cloud Security Command Center, we monitor and respond to threats when they happen. We detect inbound and outbound connections from and to known malicious IP addresses, unusual or unauthorized activities in our GCP accounts and much more.

Secure headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection. We also constantly monitor our SSL configuration rating, where we target to a minimum of an A grade for all our general domains and an A+ for all domains under our full control.

Data retention policy

Your data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.

Monitoring and reporting

Access to customer data is logged along with SSH session commands in production. This provides a trail that can be easily followed in any security audits.

Two-factor authentication (2FA)

Users can protect their Terramate accounts through two-factor authentication in the identity provider they use to access our platform. 2FA verifies users through an authenticator app such as Google Authenticator, Authy, or Duo Mobile.

How we keep our service reliable

GCP

Our infrastructure runs in Google Cloud Platform, where all components are deployed to multiple instances, minimizing disruptions caused by any failure and keeping your data constantly available. Cloud Load Balancers are used to automatically split the load and segregate traffic from the Internet to all nodes of our frontend layer.

Auto-scalable Kubernetes

All our software components run in Docker containers orchestrated by Kubernetes. The clusters are automatically resized when the load on the system exceeds than the pre-defined threshold. Our platform has been designed from scratch to support high volumes of web traffic.

Distributed denial of service (DDOS) protection

Our APIs and web application are protected against denial of service attacks. GCP provides volumetric denial of service protection through Google Cloud Armor to ensure high availability.

Disaster recovery and business continuity

Terramate utilizes database replication architectures to ensure redundancy and uptime. Encrypted backups are made frequently and stored both onsite at the data center and copied to a remote storage location. Each key service layer has redundant components, such as multiple servers that provide the same service and content, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards.

How we keep our code secure

Vulnerability management

All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.

Code peer review

Our development process is based on GitHub’s pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle. This lets them detect bugs and vulnerabilities more effectively before code makes it into the final product.

Automatic static code analysis

When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies. Dependency management is performed locally per repository, where all dependencies are tagged by version and downloaded from reputable sources over encrypted HTTPS.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different GCP account that is configured with different domain names to ensure complete separation from production.

Secure SDLC

Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.

How we secure our business

Security awareness program

All Terramate employees and contracted third-parties are required to comply with Terramate policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses.

Terramate ensures its employees undergo regular security and privacy training. Employees with developer and administrative roles also undergo secure code training annually, while employees with responsibilities in the area of information security are also provided with additional training on security protection techniques, risks, and latest trends.

Security policies

Terramate has internal policies directly pertaining to or containing details about data privacy, security, and acceptable use. In addition, Terramate also has a public-facing privacy policy.

Vendor security management

Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.

Multi-factor authentication

The use of multi-factor authentication (MFA) is enforced throughout the main services Terramate relies on. MFA is also encouraged by Terramate to both its employees and customers. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Google Authenticator). MFA is also mandatorily enforced for GCP and GitHub access.

How you can protect your data

In case of a security incident

Incidents can happen to anyone — we are ready for such an event when it happens. We manage security incidents via a documented process, which includes notification of and cooperation with customers, data protection authorities, and law enforcement. Terramate will notify affected customers without undue delay following incident detection, where we share a preliminary assessment of the incident and are open to cooperation. We follow article 33 of the GDPR when personal data is involved, and alert the supervisory authority regarding breach of personal data.

How to report vulnerabilities

Found a vulnerability? Would you like to report a bug or something interesting that you found? Have any other security issues? The best way to reach out to us is via email: hello@terramate.io.

We advise abstaining from publicly announcing a vulnerability or bug before we get in touch with you and work on a fix.