What are your security practices?

How TopLeft protects your data and systems

Here are some details about TopLeft's security practices:

SOC2 Type 2

We are actively working on our SOC2 certification and are in the evidence-collection phase. Contact our support team for an update.

SSO and MFA

We support Single-Sign On authentication with Microsoft Entra ID (previously Azure Active Directory).

We support Two-Factor Authentication for users.

Client access to application

• Time-based one-time passwords are supported and you can require users to use them. See Manage 2FA for Users.
• Passwords are hashed using PBKDF2
• TopLeft user accounts are provisioned automatically based on user accounts in the PSA, and are disabled when the PSA user account is disabled

PSA API permissions

• We provide instructions for setting up our API access with minimum permissions required to operate the application

Network encryption

All data is encrypted in transit using TLS except where noted:

• Between application server and your PSA API
• Between web server and your users' browsers
• Between application servers and database server
• Between administrative hosts and cluster servers using TLS or SSH
• Between Kubernetes control plane processes using TLS and other protocols

Additionally, each region makes use of a internal, not public networking from the cloud provider.

Data isolation

• The application is single-tenant; each customer gets individual server applications and database.