Todyl System Description

Todyl leverages multiple security tools to scan our internal systems and services. We also engage with third party professional security vendors to perform independent penetration tests and audits on an annual basis. Internal networks and systems are scanned weekly. Todyl’s production environment is hosted in multiple datacenters and availability zones to provide redundancy.

Access to Customer Data

A small subset of Todyl’s employees have access to customer data to support the platform. Individual access is granted based on the role and job responsibilities. Access is reviewed periodically and monitored.

Secure Data Handling and Destruction

Todyl is hosted on cloud system providers including AWS, GCP and Azure,as well as in different datacenters across the globe. The cloud and data center providers are responsible for security of the infrastructure whereas Todyl is responsible for securing the workload that’s deployed on this infrastructure. Cloud and datacenter providers monitor and audit computing environments continuously, with certifications from accreditation bodies across geographies and verticals, including ISO 27001,SOC2, FedRAMP, DoD CSM, and PCI DSS. Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused.

Customer Responsibilities

Todyl’s portal facilitates customer management through role-based access control. The portal is a multi-tenant, cloud-based service, accessible on the internet via web browsers such as Chrome, Firefox, etc. As a user of Todyl, customers should be proactive in recognizing the value and sensitivity of the information provided by the platform as well as the need to safeguard such data appropriately. This document details customer responsibilities as they relate to Todyl. It is the responsibility of customers to familiarize themselves with the information and procedures set forth below and comply with them.

Safeguarding of Assets and Information

To safeguard the information assets and policy enforcement capabilities available in Todyl, the customers’ IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Todylaccount credentials. As with most cloud services, access to Todyl requires a login ID and password. In addition,Customers can require MFA for their users as an additional security measure.When an organization subscribes to Todyl,it is the customer’s responsibility to manage which end users should be given access.Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user’s separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access Todyl.

Todyl should be considered sensitive and confidential. Users should follow information security best practices in ensuring access to their account credentials is appropriately limited, as well as ensuring that the information and functionality provided by Todylis protected and restricted from unauthorized use. Todyl users are responsible for maintaining the security and confidentiality of their user credentials (e.g., Login ID and Password), and are responsible for all activities and uses performed under their account credentials whether authorized by them or not. By establishing user credentials and accessing Todyl, end users agree to comply with these requirements to safeguard assets and account information.

Service Termination

Service may be discontinued in accordance with the terms of the contract by reaching out to [email protected]. Customers are required to delete all the resources configured through the portal before service can be terminated.

Password Management

Todyl’s portal is accessible to public IP addresses on global Internet, as a result, great care must be exercised by users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing Todyl, end users agree to proactively protect the security and confidentiality of their user credentials and never share service account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to useor access their Todyl platform accounts. Any loss of control of passwords or user identifications could result in the loss of “Personally Identifiable Data (PII)” and the culpable account owner(s) may be liable for the actions taken under their service account credentials whether they authorized the activity or not. Additionally, when establishing Todyl platform account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.

Reporting Operational Issues

All Todyl services are monitored 24x7 to meet SLOs. All planned maintenance will be done as per the scheduled plan which will be communicated to the customers through our public facing status page https://status.todyl.com. If the need for emergency maintenance occasions, we will notify customers through the status page prior to the work being performed. In the event customers observe performance issues, problems or service outages, they can contact [email protected] or open a support ticket to report such issues.

Incident and Breaches

By establishing account credentials or accessing the service, customers agree to notify Todyl immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to logout or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Todyl customers should also notify Todyl immediately if they observe any activity or communications in other forums that may indicate that other Todyl customers have had their accounts compromised. Lastly, Todyl encourages users to practice responsible disclosure by notifying Todyl of any identified security vulnerabilities. Todyl is dedicated to providing secure services to clients and will triage all security vulnerabilities reported. Furthermore, Todyl will prioritize and fix security vulnerabilities in accordance with the risk that they pose.We may use third-party advertising companies to serve ads when you visit the Site or after you leave.

We may share information with such companies in accordance with the terms and conditions set forth in this Privacy Policy. Please note that these companies may use information about your visit to the Site to provide advertisements about goods and services that may interest you. In the course of serving advertisements to the Site, these companies may place or recognize a unique cookie on your device. If you would like more information about this practice, and to know your choices about not having this information used by these companies, please visit http://networkadvertising.org/optout_nonppii.asp.

Compliance Issues

Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Todyl users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.

Responsible Disclosure Policy

Todyl is dedicated to keeping its cloud platform protected against all types of security issues thereby providing a safe and secure environment to customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in Todyl including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Todyl. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability through [email protected], please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please use “Responsible Disclosure -Concern” in the subject and provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.

Response

As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Todyl security commits to:

Please send the details of the discovered vulnerability or any security issue to [email protected]

Data Retention

We may retain your personal information as long as you continue to use Todyl, have an account with us, or for as long as is necessary to fulfil the purposes outlined in the policy. You can ask to close your account by contacting us at the details above, and we will delete your personal information upon request. We may, however, retain personal information for an additional period as is permitted or required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.

Responsible Disclosure Policy

The Policy in effect at the time you use the Site governs how we may use your information. Our business may change from time to time. As a result, at times it may be necessary for Todyl to make changes to this Privacy Policy. Todyl reserves the right to update or modify this Privacy Policy at any time and from time to time without. If we make material changes,we will post the updated policy on www.todyl.com/privacy with an updated Effective Date. Please check back here from time to time to review this policy, and especially before you provide Your Data to Todyl through the site or by registering to the service. Your continued use or access to the Site and the Services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

Contacting Todyl

For Privacy related inquiries, please contact us at [email protected]