Last updated 1 month ago

Information Security

Information security is a top priority for TechWolf. We go the extra mile to protect your data, because we know that you trust it to be safe with us. TechWolf is an ISO27001 certified company, and we are proud to provide state-of-the-art AI in a secure environment.

For general questions about our system, infrastructure and information security, please reach us over at infosec@techwolf.ai. For inquiries related specifically to data protection and privacy, you can also contact our Data Protection Officer Pierre directly at dpo@techwolf.ai.

ISO 27001

TechWolf is an ISO/IEC 27001:2017 certified organisation. The ISO 27001 standard helps us manage the processes and procedures that guarantee the security of our products and services. You can find our public ISO27001 certificate here.

Data & GDPR

TechWolf provides a strictly isolated environment for each customer. That means that your data is never combined with that of other customers, and any models trained or optimised on your internal data will never be applied outside of your own environment. All data is encrypted both at rest (AES-256) and in transit (SSL/TLS).

The Skill Engine API's data handling is based on privacy-first principles, retaining only the information that is absolutely necessary to provide our features. For example, our system discards all unstructured information and files immediately after processing. In addition, our system puts you in full control of the contents of your environment: the lifecycle of each Entity inside the Skill Engine API is managed by your company explicitly. That means that you have full autonomy on the creation, content and deletion of any item, allowing you to handle data retention not only in accordance with GDPR, but also your company's policies.

Infrastructure Security

Our systems run on Amazon Web Services (AWS), inside the same secure facilities used by many of the other tools and services you use. The TechWolf systems are hosted inside data centers located in Paris, France and Frankfurt, Germany. Amazon maintains a high level of security, including the following certifications:

  • SOC 1 / ISAE 3402
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001

The components of the Skill Engine API are run on a virtual private cloud, in which internal components are fully shielded from outside access in accordance with the principle of least privilege. Each customer environment is accessible only through a dedicated domain, controlled by a secure gateway into the VPC. If desired, security measures such as IP whitelisting can be applied to your customer-specific domain to further shield access from the outside world.

TechWolf periodically undergoes black box penetration testing, conducted by an independent third party on a yearly basis. In addition, we work together with our customers to set up an additional pentest in case this is preferred. A high-level overview of the outcomes of previous pentests is available to our customers upon request.

Application Security

The Skill Engine API is available through HTTPS only. Authentication and authorisation is provided through the OAuth 2.0 protocol, which allows for secure, scoped access to different functionalities offered by the product. Authentication is provided by Auth0, which has attained broad information security certification as well.

Secure Development

With our products being developed further every day, our focus is on delivering quality. That means we have a strong emphasis on secure development procedures. This includes a zero bug policy, prioritising the resolution of any bug that might be detected over all other work. Furthermore, we leverage broad unit, integration and end-to-end test suites, ensuring that all functionality is tested thoroughly on every code change.

TechWolf leverages an agile development process, in which quality control is a crucial factor. Whenever a change is made to our codebase, the responsible developer creates a merge request (MR) and opens it for reviews. This action triggers a collection of automated quality checks, including vulnerability scans, regression tests and linting checkers. If any of these fails, the MR is immediately blocked, as to prevent a negative impact on the production system. After these automated checks, each change is thoroughly reviewed by multiple other team members, typically causing a fast iterative improvement to raise the quality bar even further. Only after a consensus is reached that the proposed changes are up to standard, can it actually be merged into the actual codebase.

Secure development goes beyond just shipping good quality code: it also means monitoring existing functionality closely to detect any remaining areas for improvement. Each production deployment has an active health checking system, sending out alerts to the responsible within the team within minutes of any degradation of service. In addition, a detailed error logging system is in place to ensure that we can take immediate action if a bug would cause issues.

TechWolf Internal Security

TechWolf maintains an employee handbook for information security, which is part of the onboarding process and revisited periodically during refresher sessions. This handbook includes best-practice policies for passwords, device management, information storage... These policies are a part of the broader internal documentation for information security inside the company, parts of which are available to our customers upon request. All authorisations, procedures and practices are reviewed proactively on a quarterly basis.