Service Organization Controls (Soc2) (Type II)
Trust Services Principles
Talla allows Microsoft Teams and Slack users to be authenticated via their chat platforms. Both platforms support 2FA. Talla encourages organizations using this form of authentication to enable 2FA.
Talla allows users to authenticate using their own systems, without requiring additional login credentials. Talla supports both OAuth and SAML.
Talla provides the ability to segment users into groups and to restrict access to data based on the groups a user is a member of. Users are also assigned roles within a group which further restrict the activities a user is allowed to perform. This Talla help document provides additional information on best practices when deploying Groups, Permissions, and Roles.
Talla uses AES-256 to encrypt data at rest and AWS for key management.
Talla maintains daily backups and versioning of user’s data on an internal system. Therefore, the worst case Recover Response Objective (RPO) is 24 hours.
Talla servers all reside within our own virtual private cloud (VPS) with access control lists (ACL) that prevent unauthorized requests to the Talla internal network.
The Talla Service is hosted in Amazon Web Services (AWS) facilities (US). AWS provides robust, physical data center security and environmental controls. For more information about the AWS controls see:
All employees complete Security and Awareness training annually.
Talla developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Talla performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
All employee contracts include a confidentiality agreement.
Talla uses Stripe for all payment processing and does not maintain any customer payment information in the service.
All Talla employees and contractors are required to attend security training as part of the onboarding process and refresher training at a minimum of once per year.
All developers are required to take additional training for application-specific security requirements. This is also done via onboarding and at a minimum of annually thereafter.
If you think you may have found a security vulnerability, please get in touch with our security team at firstname.lastname@example.org