Information Security
Information security is a top priority for TechWolf. We go the extra mile to protect your data because we know that you trust it to be safe with us. TechWolf holds an ISO27001 certification and a SOC 2 Type 1 attestation, and we are proud to provide state-of-the-art AI in a secure environment
For general questions about our system, infrastructure, or information security, please reach us over at infosec@techwolf.ai. For data protection and privacy inquiries, contact our DPO Office directly at dpo-office@techwolf.ai.
ISO 27001
TechWolf is an ISO/IEC 27001:2022 certified organization. The ISO 27001 standard helps us manage the processes and procedures that guarantee the security of our products and services. You can find our public ISO27001 certificate here.
SOC 2 Type 1
SOC 2 (Service Organization Control 2) is a framework for managing data security that requires companies to establish and follow strict information security policies and procedures. TechWolf has obtained this attestation after an independent third-party audit.
Data & GDPR
TechWolf provides a strictly isolated environment for each customer. That means that your data is never combined with that of other customers, and any models trained or optimized on your internal data will never be applied outside your environment. All data is encrypted both at rest (AES-256) and in transit ( SSL/TLS 1.2 or higher).
TechWolf's data handling is based on privacy-first principles, retaining only the information that is strictly necessary to provide our features. For example, our system discards all unstructured information and files immediately after processing. In addition, our system puts you in full control of the contents of your environment: the lifecycle of each Entity inside the Skill Engine is managed by your company explicitly. That means that you have full autonomy over the creation, content, and deletion of any item. This allows you to not only follow GDPR in data handling but also your company's policies.
Infrastructure Security
Our systems run on Amazon Web Services (AWS), inside the same secure facilities used by many of the other tools and services you use. The TechWolf systems are hosted inside data centers located in Paris, France, and Frankfurt, Germany. Amazon maintains a high level of security, including the following certifications:
- SOC 1 / ISAE 3402
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 1-5
- PCI DSS Level 1
- ISO 9001 / ISO 27001
The components of the Skill Engine are deployed on a virtual private cloud, in which internal components are fully shielded from outside access per the principle of the least privilege. Each customer environment is accessible only through a dedicated domain, controlled by a secure gateway into the VPC. If desired, security measures such as IP whitelisting can be applied to your customer-specific domain to further shield access from the outside world.
TechWolf periodically undergoes black box penetration testing, conducted yearly by an independent third party. In addition, we work together with our customers to set up an additional pentest in case this is preferred. A high-level overview of the outcomes of previous pentests is available to our customers upon request.
Application Security
The Skill Engine API is available through HTTPS only. Authentication and authorization are provided through the OAuth 2.0 protocol, which allows for secure and scoped access to different functionalities offered by the product. Authentication is provided by Auth0, which has attained broad information security certification as well.
Secure Development
With our products being developed further every day, our focus is on delivering quality. That means we have a strong emphasis on secure development procedures. This includes a zero bug policy, prioritizing the resolution of any bug that might be detected over all other work. Furthermore, we leverage broad unit, integration, and end-to-end test suites, ensuring that all functionality is tested thoroughly on every code change.
TechWolf leverages an agile development process, in which quality control is a crucial factor. Whenever a change is made to our codebase, the responsible developer creates a merge request (MR) and opens it for reviews. This action triggers a collection of automated quality checks, including vulnerability scans, regression tests, and linting checkers. If any of these fails, the MR is immediately blocked to prevent a negative impact on the production system. After these automated checks, each change is thoroughly reviewed by multiple other team members, typically causing a fast iterative improvement to raise the quality bar even further. Only after a consensus is reached that the proposed changes are up to standard, can they actually be merged into the actual codebase.
Secure development goes beyond just shipping good quality code: it also means monitoring existing functionality closely to detect any remaining areas for improvement. Each production deployment has an active health checking system. It sends out alerts to the responsible member within the team within minutes of any degradation of service. In addition, a detailed error logging system is in place to ensure that we can take immediate action if a bug arises.
TechWolf Internal Security
TechWolf maintains an employee handbook for information security, which is part of the onboarding process and revisited periodically during refresher sessions. This handbook includes best-practice policies for passwords, device management, information storage... These policies are a part of the broader internal documentation for information security inside the company, parts of which are available to our customers upon request. All authorizations, procedures, and practices are proactively reviewed quarterly.