Typefi customers trust us with their content. That trust is based upon us keeping that data private, secure, and available. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.
Typefi and your data
We understand the importance of your data and take steps to secure and protect it while in our cloud. Our data ownership and protection policies focus on providing you with confidence that your data remains secure and under your sole control.
Typefi staff are expected to be competent, thorough, helpful, and courteous stewards of customer information stored in Typefi products and Typefi's cloud data centres. Typefi has established several measures to ensure that customers and their data are treated properly.
All employees are required to accept and acknowledge in writing Typefi's policies for nondisclosure and protection of Typefi and third-party confidential information, including acceptable use of confidential information. In assisting customers with their technology solutions, Typefi staff understand that they may come into contact with customer communications and customer data, and they must keep this information confidential.
Independent auditors audit Typefi's information security program for SOC 2 Type II compliance.
Security is a shared responsibility at Typefi. We aligned our security program with SOC 2 Type II with special emphasis on:
- Infrastructure controls
- Employee awareness
- Intrusion detection,
- Assessment activities
- Product security
The security team runs an in-house Cyber Incident Response (CIR) program and guides Typefi employees on reporting security events or anomalies. Our CIR team has procedures and tools in place to:
- Respond to security issues
- Evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees
We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our management team continually evaluates new tools to increase the coverage and depth of these assessments.
Security incident notification
If Typefi becomes aware of any unlawful access to our systems that results in the loss, disclosure or alteration of data (each a “Security Incident”), Typefi will promptly:
- Notify customers of the security incident.
- Investigate the security incident.
- Make reasonable steps to mitigate the effects of, and minimise any damage resulting from, the security incident.
We deliver security incidents notifications to one or more customer administrator by a means selected by us, including via email. The customer’s sole responsibility is to ensure that its administrators maintain accurate contact information on each applicable customer portal. Typefi's obligation to report or respond to a security incident under this section is not an acknowledgement by Typefi of any fault or liability concerning a security incident.
Customers must notify Typefi promptly of any possible misuse of its accounts or authentication credentials or any security incident related to our services.
Typefi defines its network boundaries using a combination of load balancers, firewalls, and virtual private networks (VPNs). We use these to control which services we expose to the internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.
Typefi uses hashed credentials to authenticate users. We select the complexity and hashing capability to strike a balance between user experience and password cracking complexity. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.
To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine. When you receive an email from Typefi, you can be confident that it really came from us.
Our email domains are:
Our email security policies include:
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC specifies how your domain handles suspicious emails.
- DomainKeys Identified Mail (DKIM): DKIM verifies that message content is authentic and not changed.
- Sender Policy Framework (SPF): SPF specifies which domains can send messages for your organisation.
Securing our internet-facing web services is critically important to protecting your data. Our engineering team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues such as:
|Cross-site request forgery (CSRF)||An attack where authorised commands are submitted from a user that the web application trusts.|
Injection attacks, including cross-site scripting (XSS) and SQL injection (SQLi)
|An attack where an attacker injects untrusted input into a program. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. SQLi attacks take advantage of the SQL syntax to inject commands that can read or modify a database or compromise the meaning of the original SQL query.|
|Session management||The rule set that governs interactions between a web-based application and users. When session management is not correctly configured, attackers may compromise passwords, session tokens, or keys to access users' accounts and assume their identities.|
|URL redirection||A vulnerability that allows an attacker to force users of your application to an untrusted external site.|
|Clickjacking||An attack that tricks a user into clicking a webpage element that is invisible or disguised as another element.|
For our cloud services, we use Amazon Web Services (AWS). AWS has undergone multiple certifications that attest to its ability to physically secure Typefi’s data. Learn more about AWS security.
Resiliency and availability
Typefi designs infrastructure in ways that complement our product capabilities with equal emphasis on availability, integrity, and confidentiality. Our Service Level Agreements detail commitments for the various products and services Typefi offers.
We back up all customer content at least once daily. We do not utilise portable or removable media for backups.
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others. We have implemented several policies to keep your data private.
Typefi Cloud Bronze service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.
Typefi Cloud Gold is a single-tenant solution for running a managed instance of Typefi Server for Workgroup and Adobe InDesign Server. Each instance is dedicated to a single organisation, and only members of that organisation are granted login access. Typefi Cloud Gold instances offer customers the ability to control upgrade schedules for Typefi solutions, run custom scripts, and enable the use of third-party tools.
Data retention and deletion
Typefi retains your content unless you specifically request removal or delete it from Typefi Cloud. The data is stored in production environments and backups. To request deletion of all data, please email firstname.lastname@example.org.
Media disposal and destruction
We securely erase or destroy all storage media if it has ever been used to store user data. We follow the National Institute of Standards and Technology's (NIST) guidance in special publication 800-88 to accomplish this. NIST 800-88 is a US government document that provides methodical guidance for erasing data from electronic storage media.
We utilise various storage options in Amazon Web Services (AWS), including local disks, persistent disks, and AWS S3 buckets. We take advantage of AWS's cryptographic erasure processes to ensure that repurposing storage does not expose private customer data.
Typefi performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. We also collect event data from our applications with your consent.
Typefi uses industry-standard encryption to protect your data in transit. This is commonly referred to as transport layer security (TLS) or secure socket layer (SSL) technology.
Encryption at rest
We enable Amazon Web Services (AWS) encryption on all local disks, persistent disks, and AWS S3 buckets. More technically, we use AWS's server-side encryption feature with AWS-managed encryption keys to encrypt all data at rest, transparently and automatically. AWS's server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
If you have any questions about Typefi's security and compliance policies, please contact us.