Information security and compliance at Textio

Compliance and certification

ISO/IEC 27001:2022

Textio’s Information Security Management System (ISMS) has been certified compliant with the ISO/IEC 27001:2022 standard by an accredited third-party vendor. External and internal audits are conducted on an annual basis. Textio’s ISO 27001 certificate is available below, and its most recent ISO 27001 audit report is available under MNDA by request to prospective and current customers. Textio, Inc. ISO 27001 Certificate.pdf

Cloud Security Alliance (CSA)

Textio is registered with the Cloud Security Alliance (CSA) and provides additional details of its information security program through the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire also contains mappings to other recognized compliance standards.

Amazon Web Services

Textio is built and delivered via Amazon Web Services (AWS) which maintains multiple security certifications to safeguard the infrastructure underlying the Textio service. Information about AWS compliance programs is available here: https://aws.amazon.com/compliance/programs.

Contact Textio’s security team

You can contact Textio’s information security and privacy team by sending an email to security@textio.com.

If you would like to report a vulnerability or security concern please use this same address. Textio takes all disclosures seriously and will be in touch with you shortly to discuss. Please include a proof of concept, tools used, and relevant inputs and outputs.

Data privacy

Textio is deeply committed to the privacy of its users and the security of their data. Textio maintains high privacy standards that meet the regulatory requirements of its users, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In an effort to exceed regulatory requirements and provide the same privacy benefits to all its users, Textio applies the standards of the regulation globally instead of limiting its scope to certain jurisdictions. All customer and marketing data is treated in a way that conforms with GDPR and CCPA.

Privacy policy

Textio’s Privacy Policy contains details of what data Textio processes, why and how it is processing it, and what rights users have. The Privacy Policy is available to all users here: https://textio.com/privacy.

GDPR alignment

Textio has been compliant with the GDPR since it first went into effect in 2018. Textio role under GDPR is that of a Data Processor of personal data related to user accounts and documents. The customer is the Data Controller because they decide which users have access and what documents are created.

The personal data that Textio processes is that of the Textio users, such as employees of the customer who has licensed the software.

Textio collects and uses the following personal data from Textio users who have chosen to sign up for the Service: user’s name, email address, and job title. Textio records user IP addresses for maintaining the security of the service. Textio does not process any special categories of personal data.

Textio processes personal data for the following purposes:

• User authentication and authorization with the Textio platform
• To provide product features that depend on user identity, such as groups and document ownership
• Creating a personalized experience while the user is using the platform
• Providing customer support to end users
• Monitoring and auditing usage to prevent fraud and abuse of the platform

Because Textio is a Data Processor, users exercise their data subject rights by contacting the Data Controller, which is Textio’s customer. The customer can then exercise the user’s right for access, export, and erasure through the administrative panel and document library.

Data Processing Addendum (DPA)

Textio provides a Data Processing Addendum (DPA) that customers can sign to maintain their compliance with GDPR. The DPA has been crafted specifically to match Textio’s services and is available by contacting your sales representative or security@textio.com.

Subprocessor list

Textio uses the following Subprocessors to process Personal Data. Textio engages different types of subprocessors to perform various functions as explained in the tables below.

Application and infrastructure security

The Textio platform consists of a SaaS web application and third-party integrations in which users create and edit documents such as job posts and recruiting emails. These components are accessed over the internet and thus require no integration with a customer’s existing network or installation on their servers. The web application supports: Chrome, IE, Firefox, Safari, and Opera.

Textio integrations allow document editing in common email, sourcing, and Applicant Tracking System (ATS) platforms such as LinkedIn Recruiter, Greenhouse, and Workday. Messaging integrations allow users to gather outcomes data for improving Textio’s language recommendation engine. ATS integrations enable users to write a job posting in Textio and push it into the ATS for downstream workflows.

Application authentication

Textio supports both Single Sign-On (SSO) and password-based authentication.

For SSO, Textio integrates with SAML 2.0 providers such as AzureAD and Okta. Textio supports Service Provider (SP) and Identity Provider (IdP) initiated use cases and federated authentication (not delegated). Once SSO is enabled then users can no longer log in with passwords and there is no bypass mechanism.

Textio’s password-based authentication requires strong passwords for user accounts. Passwords stored in the database are irreversibly hashed with a random salt. Too many failed login attempts will lock a user’s account and will require them to execute a password reset via email. Password-based authentication does not include multi-factor authentication (MFA), forced password rotation, or password history-based exclusions; customers needing these features should use SSO and enable these features there.

Customer data security

Textio processes the following types of data from customers who are using the Textio platform: non-sensitive business white pages information from users (including the user’s name, email address, and job title), documents written on the platform, account settings and configuration (e.g. groups), IP addresses for audit logs, and anonymized outcomes data. Textio does not store or process any Personal Health Information (PHI) or Payment Card Information (PCI).

All customer data is encrypted at rest and in transit using modern cryptographic algorithms. Each customer’s data is logically isolated from that of other customers by architecture, software design, and code controls. Customer data is stored in the United States and not transferred to other countries or sold to third parties.

No customer data is shared with any party outside of Textio except for what is needed to provide and operate the service. Textio shares customer data with the following third-party vendors for the sole purpose of providing and operating the Textio service: Amazon Web Services (infrastructure and hosting), Sentry (application monitoring), Google Analytics (application metrics), Hubspot (email communications), Sumologic (audit logs), Dropbox (usage reports), Help Scout (customer support).

Customer data is backed up at least daily for recovery in case of a continuity or other incident. These data backups have the same security measures as the primary data store, including encryption at rest and limited access privileges.

Textio retains customer data such as accounts and content to provide a more continuous user experience for customers who return to Textio after their contract has terminated. Textio uses retained data in aggregated form to develop derivative products, such as models, that may require re-analysis of the source data. Audit logs of product usage are retained to prevent fraud and abuse of the platform.

Textio will delete customer data when it is formally requested by the customer or as required per the established services agreement.

Secure application development

Textio implements secure development practices to ensure security is considered at all stages of the software development lifecycle.

The engineering team takes information security into account starting at the architectural and software design phase of building systems and features. Some of the key principles that they follow include:

• Isolate Personally Identifying Information (PII) to a minimal set of systems and only give access to those individuals with a business reason to know; use anonymized IDs in all other systems
• Avoid SQL injection attacks by using Object-Relational Mapping (ORM) libraries or parameterized queries for all database access
• Use standard cryptographic libraries and known implementations
• Properly manage runtime secrets via Amazon's Key Management Service and never check them in to source control

Textio’s change management process requires that all code and infrastructure changes undergo peer review and approval, which is managed through Github Pull Requests. Code reviews emphasize security as one tenet to evaluate. If the code change is in a particularly sensitive area of code (e.g. cryptography), then additional reviews are required. Once approved, new code undergoes provisional deployment to development and staging environments where it is required to pass automated unit and functional tests. All members of the Engineering team may request production changes. Deployments to production are conducted by a small number of authorized engineers.

Textio follows a continuous deployment methodology where enhancements and defect fixes are deployed to all customers as they are completed and tested. Software deployments typically require no maintenance downtime.

An automated monitoring and alerting system notifies the operations team of any critical errors or failures due to deployments. All of the above steps are posted into an internal Slack channel of which all engineers are members to ensure the highest level of visibility and oversight. In addition, all production environment changes are logged to provide a forensic audit trail.

Production environment security

Textio is built and hosted in Amazon Web Services (AWS). Textio leverages key security primitives, such as VPC, security groups (SGs), and network Access Control Lists (ACLs) to segment its network. The frontend application communicates to an API layer which manages access to data stores and routing document analysis tasks to the appropriate services. Wherever possible, endpoints required authenticated access.

Textio’s different environments (production, staging, development) are separated into different AWS accounts where possible.

Textio leverages AWS security groups to ensure that access to critical systems, e.g. databases, are only available to the systems within the VPC that require it. All security groups are configured to open only the necessary ports to the smallest set of IPs or additional security groups. As an example, port 22 (SSH) is only open to the bastion host security group. Security groups are audited regularly to ensure compliance with this policy.

Textio employees do not have physical access to AWS data centers, servers, network equipment, or storage.

Availability and scalability

The Textio service is designed for high reliability and availability. The production service is deployed across multiple availability zones within an AWS region and all critical components are configured for seamless failover in the event the primary availability zone goes down.

Textio maintains a strong historical availability record. For example, in 2019 the service surpassed 99.95% service availability each month and there was only one planned maintenance window during the entire year.

Textio is deployed as an elastic application that scales automatically to meet capacity needs. This scaling is managed through AWS auto-scaling which monitors Textio's application and automatically adjusts capacity to maintain steady and predictable performance.

Textio uses continuous monitoring and alerting to identify and quickly resolve any availability incidents. Such alerts go to an engineering on-call rotation that provides 24/7 coverage.

Cryptography

All customer data is encrypted at rest and in transit using modern cryptographic methods. At rest data is encrypted using the standard secure methods provided by AWS storage services, such as AES-256. Data in transit is encrypted using TLS 1.2 with a 2048-bit RSA certificate. Insecure protocols such as SSL 3.0 and TLS 1.0 are disabled. Textio does not use TLS mutual authentication and instead utilizes Single Sign-On (SSO) which uses SAML.

Encryption keys for customer data are managed and generated using AWS’s Key Management Service (KMS), which handles all of the transitions between phases of the encryption key life-cycle, monitors and tracks these workflows.

Textio uses the same encryption keys for all customers in each shared-tenancy environment and therefore does not support customer-specific or customer-supplied encryption keys.

Server hardening

Textio leverages Amazon Machine Images (AMIs) that have been hardened following industry-standard practices, such as the Amazon ECS-optimized AMI.

Individual hosts are running a minimal set of network services needed to support the application. Depending on the host, this may include sshd, application server, and our host monitoring/logging agent. Textio uses Network Time Protocol (NTP) on all production hosts to synchronize clocks. Where possible, hosts are configured with automatic package updates.

Any customizations needed are added by Textio on top of these hardened AMIs and made using industry best practices. Such customizations are configuration-driven and managed under source control. These final AMIs are then used as the standard across the fleet to ensure a consistently secure environment for all services. All machine images are updated regularly and re-deployed to ensure we have the latest updates. Textio does not use any third-party or community AMIs.

Physical access control

Textio does not own or operate any data centers. Textio's service is built and delivered via Amazon Web Services (AWS) and hosted in their US-based data centers.

Logical access control

Textio is hosted in Amazon Web Services (AWS) and leverages Identity and Access Management (IAM) controls to provide granular, auditable and least-rights access to the engineers that build and run the Textio service.

Within the AWS environment, Textio implements the following controls:

• Access to AWS requires a strong password and multifactor authentication
• Users and runtime services have unique accounts and access keys (no shared access)
• Textio leverages both IAM groups and roles to control access to resources within AWS
• Inbound SSH access to infrastructure is restricted to users authenticated with the Textio VPN
• Textio manages AWS users and permissions with the Cloudformation configuration management tool so that changes are auditable and require approval

Access Reviews are performed by information security team on a monthly basis for critical services, and quarterly for all others. Any identified issues are remediated immediately and used to uncover root cause access issues.

Intrusion detection and prevention

Textio protects itself by using Amazon GuardDuty for network intrusion detection (IDS). GuardDuty is a continuous security monitoring service that analyzes and processes logs from VPC network flow, AWS CloudTrail events, and DNS. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within Textio's AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a region that has never been used, or unusual API calls, like a password policy change to reduce password strength.

Vulnerability detection and management

Textio utilizes the following means to detect potential vulnerabilities and malware in its production systems:

• All EC2 hosts are running AWS Inspector to scan for vulnerable software packages
• Textio uses AWS GuardDuty to alert on malicious application behavior, which allows detection of malicious packages even before they show up on known vulnerability lists
• Textio performs monthly automated web application vulnerability scans of public-facing endpoints
• Textio automatically monitors for newly published CVEs that affect consumed software packages

All identified vulnerabilities are categorized based on severity and entered into the engineering team’s work queue. Any high impact vulnerabilities or CVEs are treated as hotfix-level issues and remediation efforts begin immediately. Other vulnerabilities are addressed relative to their severity and impact.

For vulnerabilities impacting the underlying AWS infrastructure, Textio can rapidly push changes via direct updates (e.g. patch the affected server) or with autoscaling groups (e.g. rotate fleet to new AMI containing fix).

For vulnerabilities affecting software, Textio maintains continuous integration and deployment capabilities which enables it to rapidly patch all runtime services.

Penetration testing

Textio performs annual external network and application penetration tests using a reputable third-party vendor. These are manual tests that focus on identifying application vulnerabilities related to OWASP top 10 and network vulnerabilities for internet-accessible hosts.

Textio’s most recent penetration test report is available under MNDA by request to prospective and current customers.

As it has established a thorough vulnerability and penetration testing program, Textio does not allow security testing by customers.

Logs

Textio aggregates logs across all applications, systems, and services in SumoLogic and stores backups in Amazon S3. Logs are used by Textio to correlate messages across systems, debug issues, address customer support requests, detect patterns of abuse, and ensure the integrity of Textio accounts.

Logs include actions taken by users such as logon, logoff, and data changes. Logs also include all actions taken within AWS, such as creating hosts, editing security groups, and escalating privileges.

Logs use standard protocols where available and include a timestamp, action taken or event that happened, IP address, anonymous user ID, and customer identifier. Where possible, logs include a correlation ID that enables analysis across servers and services.

Logs are access-restricted, encrypted at rest, immutable, and retained for at least 12 months.

Logs are viewable only by the Textio operations team and for business purposes only. Textio logs are not available to customers as they potentially contain sensitive data from multiple customers. Textio will assist customers as needed to investigate any suspected security or privacy incident.

Information security program

Security policies

As part of its information security program, Textio maintains an internal wiki of policies and procedures that align with the ISO/IEC 27001:2022 standard. Key documents include:

• Information Security Policy: includes policies for laptop and mobile device security, passwords, human resources security, asset management, acceptable use, access control, physical security, vulnerability management
• Privacy and Personal Data Protection Policy
• Customer Data Handling Policy
• Secure Systems Development Policy
• Privacy Policy (https://textio.com/privacy/)
• Information Classification, Labeling, and Handling
• Vendor Relationships Policy
• Vendor Review Procedure
• Incident Response Procedure
• Business Continuity Plan

These policies and procedures are updated on an ongoing basis and reviewed annually for gaps. Summaries of specific policies and procedures are available to customers upon request.

Security organization

Textio has a VP who leads the information security organization and is responsible for ensuring the security and privacy of all Textio and customer data. They create and manage Textio’s infosec program, lead the risk management process, develop policies and procedures, and work across the organization to ensure compliance.

Risk management

Textio identifies risks by reviewing the information assets and services of the company with their assigned stakeholders and identifying scenarios in which negative consequences are experienced. Risks are assessed based on sensitivity of the resource, likelihood, and severity of the threat. Textio responds to risks by identifying controls and scopes of work needed to remediate them.

Textio's risk management process follows these steps:

• Identify the list of Textio’s information assets and services that Textio wants to protect and identify their owners
• Collaborate with the owners to identify the various scenarios in which negative consequences are experienced for these assets
• Quantitatively assess the risk’s likelihood and impact and derive an overall risk score
• Prioritize these risks and agree on Textio's treatment of each
• Plan and execute the work needed for this treatment

Vendor management

Textio has established a Vendor Management Program that ensures all vendors that process customer data are adhering to appropriate standards of security and privacy. As part of the vendor review procedure, Textio reviews a vendor's available security reports (such as ISO 27001 or SOC II Type 2) or equivalent security documentation to ensure they have the requisite controls in place. Textio also ensures appropriate legal protection is in place, including information confidentiality and personal data processing agreements.

Incident response procedure

Textio maintains an incident response plan for all availability and security incidents. This plan includes: roles and responsibilities of the response team; protocols for communication, engagement, and resolution; notification of customers; and mandatory incident retrospectives with action items. Textio maintains runbooks for recovering from known incidents.

Textio ensures its incident response plan is tested at least annually. If there hasn't been an actual incident then Textio uses a table-top exercise to achieve this goal.

If Textio experiences a data breach it will perform an investigation into the root causes and impact of the breach and pursue appropriate mitigations. Once the investigation and initial response has concluded, Textio will notify customers affected by the breach within 24 hours.

Textio’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are both 24 hours.

Business continuity and disaster recovery

Textio maintains a Business Continuity Plan that describes how it will continue to conduct business in spite of incidents that significantly disrupt IT systems. This plan includes: criteria for activating the BCP; internal and external communication protocols; response team contact information. The BCP also describes continuity steps for specific scenarios: office network outage, physical office space unavailable, critical services unavailable, and production service outage.

It is worth noting that Textio relies on online services for conducting all critical company business; no critical business applications are hosted inside of our main office. This provides business continuity in case our office is inaccessible for prolonged periods of time.

The BCP is tested at least once per year through a combination of live events and table-top exercises.

Corporate security

Laptop and mobile device security

Textio’s standard issue employee computing device is a MacBook running the latest version of macOS. All laptops are managed by Mobile Device Management (MDM) software, use full disk encryption, and have endpoint protection installed for anti-malware and anti-virus. Various endpoint security policies are enforced via the MDM, including full disk encryption, screen locking, strong passwords, software updates, and prohibition of external physical media.

Textio securely wipes a laptop once it is no longer needed by that employee. Once a laptop is no longer useful to Textio it is destroyed by a reputable third party that follows established standards for media sanitization and destruction.

Employee-owned mobile devices are not allowed to connect to the same Wi-Fi network as Textio-owned laptops. In addition, mobile devices are required to be secured by a PIN code or password. Mobile devices are never used to access customer data or the production environment.

Office security

Access to Textio’s restricted office spaces is controlled by badges and monitored by security cameras. Visitors sign in at the front desk and must be escorted by authorized personnel at all times when accessing restricted office areas.

Remote work policy

Textio allows its employees to work remotely to perform their job duties. Because Textio is a “cloud-native” company, employee laptops are protected by the same services whether they are working in the office or in a remote location. This includes mobile device management and endpoint protection software. In addition, employees working remotely must connect to the Textio VPN prior to accessing internal services or other sensitive resources in the production environment.

Background checks

All employees must pass professional reference checks and a criminal background check as a condition of employment.

Confidentiality agreement

All employees sign agreements before they start working at Textio that outline their responsibility for protecting company data and state that they have read and accepted Textio's information security policies. The agreements state that failure to comply would result in disciplinary action up to and including termination.

Security training

All Textio employees receive training during new hire orientation around the most critical information security topics: treatment of customer data, laptop security, password complexity and storage requirements, handling of suspicious emails, personal device usage, separation of business and personal accounts. This training is periodically reinforced and augmented through employee all-hands presentations and newsletters.

In addition, specific groups within Textio working with sensitive data receive in-depth training on relevant topics. For example, employees with Customer Data access receive specific training on its handling procedures. Similarly, engineering team members are trained on secure development practices as part of Textio engineer onboarding and reinforced regularly through code review, security workshops, and continuing education.