TestFit’s Information Security Policy establishes the framework and guidelines for protecting the confidentiality, integrity, and availability of TestFit’s information and data.
1. Security Framework
Information security governance is handled by an Information Security Governance Team that will oversee information security activities and ensure alignment with business objectives. This team will also be responsible for establishing policies and procedures for risk management, compliance, and incident response.
This team meets regularly to review risks and mitigation strategies, and to plan and prioritize any associated information security work that may be required.
2. Information Classification
All information within TestFit is classified based on its sensitivity and criticality into the following categories:
- Confidential
Information that is highly sensitive and should only be accessed by authorized personnel on a need-to-know basis. This includes any intellectual property a customer may be storing in TestFit cloud services.
- Internal Use Only
Information intended for internal use within the organization. Disclosure to external parties must be done with appropriate authorization.
- Public
Information that can be shared openly with the public.
3. Access Control
Access to information systems and data is handled based on the principle of least privilege to prevent TestFit employees from accessing resources or data beyond that which is necessary or appropriate in the context of their applicable roles or responsibilities. User access is regularly reviewed and updated to prevent unauthorized access and ensure compliance with TestFit’s access control policies.
TestFit utilizes various authentication mechanisms, including two-factor authentication (2FA), to secure TestFit employee access to sensitive systems and data.
4. Data Protection
All employees and stakeholders are responsible for safeguarding sensitive data from unauthorized access, disclosure, alteration, or destruction. Data encryption is applied to data in transit and any Project and Asset data saved to TestFit cloud services is encrypted at rest.
Secure methods of data transfer, such as TLS 1.2, are used when transmitting sensitive information over networks.
5. Data Retention
Usage and project information is captured and retained for a minimum of 30 days after the customer’s subscription expires or is terminated.
6. Information Security Training
All TestFit employees and contractors with access to TestFit customer data undergo regular information security training to understand the latest threats, best practices, and their responsibilities in protecting information assets. This training is administered both in onboarding and during the term of their employment or contracting with TestFit, as applicable.
Training covers topics such as password security, social engineering, data handling, and reporting security incidents.
7. Incident Response
TestFit’s incident response plan guides how TestFit responds to security incidents should they occur. A summary of TestFit’s incident response plan is available to active TestFit customers upon request. This plan governs the handling of security incidents, including data breaches, unauthorized access, and malware infections. It also outlines timelines and frequency of notification based on the severity of the incident.
All TestFit personnel with access to customer data are instructed to report any suspected or actual security incidents immediately to the designated incident response team.
8. Third-Party Security
If a TestFit vendor or contractor has access to TestFit data or systems, TestFit requires such vendor or contractor to (a) adhere to TestFit’s information security policies and (b) sign a data protection agreement that governs and restricts such access. Third-party integrations to TestFit software are scrutinized to prevent confidential or internal-use data from being shared with unauthorized third parties.
9. Compliance and Monitoring
TestFit regularly audits and monitors its personnel’s compliance with this Information Security Policy and related procedures.
10. Policy Review
TestFit regularly reviews this Information Security Policy to maintain its relevance, effectiveness and consideration of emerging security threats. Updates or changes to this policy are communicated to customers by posting the updated version and its effective date on TestFit’s website. TestFit may also notify customers by other means TestFit reasonably deems appropriate.