Home
-
Getting started with TeamOneTeamOne board toolsCollaborating with TeamOneManaging teams and projects in TeamOneTeamone Security
Security - FAQ
Authentication and Authorization
How does the software handle user authentication?
We follow OpenID Connect standard, which is commonly used in the industry.
DeleteWhat types of user roles and permissions are supported?
TeamOne defines users roles and permissions at the team, board, and project level, as outlined in this article.
DeleteIs multifactor authentication available?
Yes, multi-factor authentication (MFA) is available by enabling 2FA. Google Authenticator can be used as the secure authentication mechanism. See how to enable the 2FA from your myViewBoard account.
DeleteData Encryption
How is sensitive data encrypted during transmission and storage?
All data is encrypted during transmission using HTTPS, and sensitive data is encrypted in storage through AWS RDS encryption.
DeleteWhat encryption algorithms and protocols are used?
We use HTTPS with TLS 1.3 for data transmission encryption, and RDS AES256 encryption for data storage.
DeleteAre there any encryption key management practices in place?
Yes, encryption key management is handled using the AWS Key Management Service (KMS).
DeleteVulnerability Management
How does the software handle security patches and updates?
TeamOne employs DevSecOps for security updates, integrating DAST (Dynamic Application Security Test), automated testing and continuous deployment to ensure robust and up-to-date security measures.
DeleteIs there a process for addressing vulnerabilities discovered during the beta phase?
Through DevSecOps integration, vulnerabilities detected in beta are addressed with SAST (Static application security testing)/Peer review during the development phase and DAST and Red team test in the deployment phase, emphasizing proactive security across all phases for effective risk mitigation.
DeleteHow frequently are security scans and assessments performed?
Code scan security runs on every build, while security scans and assessments are conducted semi-annually.
DeleteAccess Control
What mechanisms are in place to control access to sensitive features or data?
TeamOne prioritize strict access control using Role-Based Access Control (RBAC) to precisely manage permissions, coupled with a Web Application Firewall (WAF) to reinforce protection against unauthorized access, ensuring robust security for your sensitive information.
DeleteIs there support for role-based access control (RBAC)?
TeamOne incorporates role-based access control at the team, board, and project level, as outlined in this article.
DeleteCan access be restricted based on IP address or geographical location?
While access can be restricted based on IP address or geographical location, this feature is not currently implemented. Technically, it's feasible to do so depending on the requirements. For instance, in a team profile, an admin could enter specific IP addresses or regions to restrict access. However, one risk to consider is the potential for an admin to mistakenly enter an incorrect IP address, which could lead to issues if it cannot be corrected.
DeleteWhat happens to teammates who left the organization (inactive accounts), what happens to their boards?
The team admin has the authority to assign another admin to manage the team. Other users within the same team can still access the boards, allowing continued access for teammates.
DeleteAudit Logging
Does the software provide comprehensive audit logs?
Comprehensive audit logs for customer-facing purposes are not currently designed. However, all transaction logs can be tracked within a 7-day period.
DeleteWhat actions are logged, and can the logs be securely stored and analyzed?
All actions are logged, and the logs are encrypted with AES256 using a secured encryption key.
DeleteSecure Communication
How are communications between clients and servers secured?
TeamOne secure client-server communications through HTTPS for encryption, Web Application Firewalls (WAF) for threat defense, strict access controls, and data encryption during both transfer and storage, ensuring robust protection for your information.
DeleteIs Transport Layer Security (TLS) used for encryption?
Yes, TeamOne uses TLS 1.3 for Transport Layer Security (TLS) encryption.
DeleteAre there any protocols in place to prevent man-in-the-middle attacks?
To prevent man-in-the-middle attacks, TeamOne utilizes the HTTPS protocol, ensuring secure and encrypted communications. This is complemented by Web Application Firewalls (WAF) for threat defense and stringent access controls to protect data in transit and storage.
DeleteData Policy, Data Privacy and Compliance
Does the software comply with relevant data privacy regulations (e.g., GDPR, HIPAA)?
TeamOne complies with GDPR regulations, as outlined in our privacy policy available at https://TeamOne.viewsonic.com/legal/privacy-policy.
DeleteHow is personal data handled and protected?
TeamOne does not directly collect personal data. Instead, it utilizes the ViewSonic Account as its identity provider to ensure enhanced security for your personal information. As an application, TeamOne does not store or have direct access to your personal data. All personal information remains within the ViewSonic Account system, and TeamOne accesses it only through a time-limited token to manage access control.
DeleteAre there mechanisms for users to control their data privacy settings?
TeamOne will provide settings menus where users can adjust their privacy data, including viewing their information and editing privacy settings. These settings will be accessible through the account settings or privacy dashboard.
DeleteWhat happens if beta users did not subscribe and where/how do ViewSonic store their data?
Those beta users will be downgraded to the individual free plan, and their boards will still be accessible. TeamOne utilizes AWS as our supporting vendor, ensuring industrial-grade standards for transactions and data. Users' board data will reside in the same region as chosen in the ViewSonic Account.
DeleteDoes TeamOne have any security certifications?
While TeamOne does not currently have any security certifications, ViewSonic maintains ISO 27001 certification in good standing. Additionally, our hosting vendor AWS adheres to most industry security standards.
DeleteCan I request to delete my account and data in TeamOne?
Yes, if you need to fully delete your data, please submit a support ticket and our specialist will assist you.
DeleteWho can access my data in TeamOne?
Through the implementation of DevSecOps practices, TeamOne prohibits any developer from operationally 'touching' the production database. Additionally, as per predefined roles, no one should directly access any production data in ViewSonic.
DeleteIncident Response
What is the process for responding to security incidents or breaches?
Incident handling for TeamOne follows the guidelines outlined in the myViewBoard Security Whitepaper.
DeleteIs there a designated security team responsible for incident response?
The TeamOne Security Team will document all recovery steps taken during incidents and present them as case studies for guidance and prevention. Detailed tasks and logs collected during the incident-handling process will be listed in the TeamOne internal directory, shared exclusively with the internal software development team. All reported issues will also be listed in our internal directory and shared with the team without any customer identifiable information.
DeleteAre customers promptly notified in the event of a security incident?
Customers are promptly notified based on the severity, type, and impact of the security incident. If necessary, notifications are sent via email to ensure timely communication.
DeleteThird-party Integrations and Dependencies
Are there any third-party libraries or components used in the software?
Yes, TeamOne utilizes third-party libraries, which undergo rigorous analysis by our SAST tool equipped with intelligent Software Composition Analysis (SCA) to ensure their security before integration.
DeleteHow are dependencies managed, and are they regularly updated for security patches?
TeamOne utilizes DevSecOps to manage dependencies and regularly updates them for security. We conduct Dynamic Application Security Testing (DAST) and red team testing during deployment for thorough security verification, ensuring continuous protection.
DeleteSecurity Alert System
Does the software have a security alert system in place? This system should promptly notify you of any abnormal activities detected on your computer systems (such as unauthorized changes or unknown sign-ins).
TeamOne utilizes a Web Application Firewall (WAF) alongside role-based access control to promptly detect and respond to abnormal activities such as unauthorized changes or unknown sign-ins, ensuring the security of our systems.
Delete