What are your security practices?

How TopLeft protects your data and systems

Here are some details about TopLeft's security practices:

SOC 2 Type II

We have completed our SOC 2 Type II certification. 

SSO and MFA

We support Single-Sign On authentication with Microsoft Entra ID (previously Azure Active Directory).

We support Two-Factor Authentication for users.

Client access to application

• Time-based one-time passwords are supported and you can require users to use them. See Manage 2FA for Users.
• Passwords are hashed using PBKDF2
• TopLeft user accounts are provisioned automatically based on user accounts in the PSA, and are disabled when the PSA user account is disabled

PSA API permissions

• We provide instructions for setting up our API access with minimum permissions required to operate the application

Network encryption

All data is encrypted in transit using TLS except where noted:

• Between application server and your PSA API
• Between web server and your users' browsers
• Between application servers and database server
• Between administrative hosts and cluster servers using TLS or SSH
• Between Kubernetes control plane processes using TLS and other protocols

Additionally, each region makes use of a internal, not public networking from the cloud provider.

Data isolation

• The application is single-tenant; each customer gets individual server applications and database.

Got other questions about our security practices?

We usually do not fill out security questionnaires, as those details can be found in our SOC2 report. We are happy to schedule a call to discuss security; just reach out to our sales or support team.