Teamup Operations & Security
Last updated: June 30, 2022
This document summarizes the security measures we have implemented to protect our users’ data. We are aware that many users of Teamup store important and sensitive information in Teamup. The protection of our users’ data is a very high priority for us.
Many organizations have a requirement to review the security of their IT service providers initially and periodically. These reviews are often done using large questionnaires that we are asked to fill in. For us, this is very time-consuming and not scalable. This document answers all the security questions that we are typically asked.
If you find that some of your security questions are not answered here, please contact us at email@example.com.
2. About Teamup
Teamup was founded in 2014 and is incorporated and headquartered in Switzerland. We are currently a team of 12, living and working in six different countries around the world.
We currently serve around 4 million monthly unique users. Our customer base is very diverse, including small to large enterprises, schools, universities, non-profit organizations, government branches, associations, families, and private users.
2.1 Business Model
Teamup’s business is based on a freemium model. We offer a free Basic subscription plan and paid Plus, Premium, and Enterprise subscription plans.
The free Basic plan is aimed at private users, small organizations, and new users who want to get to know Teamup. It is fully functional and unlimited in time but limited in the available resources. For example, the number of sub-calendars is limited to 8. For an overview of features and limits by subscription plan see the pricing plan.
The paid Plus, Premium, and Enterprise subscription plans offer advanced features and higher resource limits.
Teamup’s income is generated exclusively from subscription fees for the Plus, Premium, and Enterprise plans. In particular:
- We don’t use any form of advertising
- We don’t sell or trade any user data
- We don’t promote paid or unpaid content from any third-parties
3. Certifications and Assessments
3.1 ISO/IEC 27001 and SOC
Teamup is in the process of implementing a formal Information Security Management System (ISMS) but is currently not certified by a third party. We are working towards the certification under the ISO/IEC 27001 standard on managing information security.
Our hosting provider, Amazon AWS, is certified under ISO/IEC 27001, 27017, and 27018. We receive and review their SOC1 and SOC2 reports every 6 months under NDA.
3.2 GDPR and Data Transfers from Europe to the US
Teamup is committed to maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined. Teamup also adheres to the Standard Contractual Clauses as a means to transfer data from the EEA and UK to the US. For more information please see our Data Processing Agreement.
4. Hosting Security
4.1 Data Centers and Location
Teamup’s production services are hosted on Amazon Web Services (“AWS”) EC2, RDS, and S3 platforms. As of this date, AWS
- has certifications for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2014
- undergoes SOC 1, SOC 2, and SOC 3 audits (with semi-annual reports)
Additional details about AWS’ compliance programs can be found on AWS’ website.
All user content is redundantly stored within two regions of AWS.
- US West (Oregon)
- EU West (Ireland)
We do not offer customers the option of hosting Teamup on a private server or using Teamup on a separate infrastructure.
4.2 Production Environment
We maintain separate and distinct production, staging, and development environments for Teamup.
Access to Teamup’s production environment is restricted to authorized and trained members of the Teamup engineering team (“Authorized Personnel”).
Authentication is achieved by:
- Passphrase protected personal RSA certificates for ssh terminal connections
- Strong passwords and TOTP-based 2FA for HTTPS connections (NIST Authenticator Assurance Level 2)
All changes to production systems are logged.
By policy, non-public production data never leaves the production environment unless it is served to Teamup’s users.
For Authorized Personnel, any workstation must be running current and active anti-virus software.
4.3 Network Security
AWS Network ACL and Security Groups are used to restrict access to Teamup’s systems as appropriate to their role. Active monitoring of these security rules is in place with alerting mechanisms in place for any changes to the configuration. Public access is restricted to ports 443 and 80 on the network load balancers for public traffic.
4.4 Encryption In-Transit
Teamup uses industry-standard Transport Layer Security (TLS) to create a secure connection using 128-bit Advanced Encryption Standard (AES) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the Teamup servers. Access to Teamup is restricted to port 443. Port 80 is only available as a permanent redirection to port 443.
4.5 Encryption At-Rest
Data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server.
File attachments to Teamup calendar events are stored in Amazon’s S3 service. Attachments are only accessible using a secure HTTPS connection. File attachments to Teamup calendar events uploaded after January 1, 2020, are encrypted using Amazon S3 server-side 256-bit AES encryption. The encryption, key management, and decryption process are inspected and verified internally by Amazon regularly as part of their existing audit process.
All backups are encrypted using an algorithm based on AES-256.
4.6 Encryption Keys
Encryption keys for all Amazon AWS services used by Teamup are managed by Amazon’s AWS Key Management Service. The encryption, key management, and decryption process are inspected and verified internally by Amazon regularly as part of their existing audit process.
4.7 Physical Security
Teamup’s production services are hosted on Amazon’s Web Services platform (AWS). The physical servers are located in AWS’ secure data centers. Read more.
We require that production data is never to be stored by those with privileged access to physical media outside of our data hosting provider’s production environments.
Teamup’s hosting infrastructure is designed with redundancy at several levels:
- Component redundancy: This ensures that a failure of a single component (disk, power supply, network interface) will not interrupt the service.
- Server redundancy: This ensures that a failure of a single server (web server, database server, load balancer) will not interrupt the service. Redundant servers are located in different buildings.
- Data center redundancy: All data is stored redundantly in two data centers located in different geographical regions (US and Europe).
5. Operation Security
5.1 Access Control
Teamup maintains a list of Authorized Personnel with access to the production environment. These members undergo background checks and are approved by Teamup’s management. Teamup also maintains a list of personnel who are permitted to access Teamup code, as well as the development and staging environments. These lists are reviewed periodically and upon role change.
Trained members of the Teamup customer support teams also have case-specific, limited access to user data stored in Teamup through restricted access to customer support tools. See section 5.6 User Support for more details.
Upon role change or leaving the company, the production credentials of Authorized Personnel are deactivated, and their sessions are forcibly logged out. Thereafter, all such accounts are removed or changed.
5.2 Third-Party Access
Teamup relies on a small number of third-party service providers, for example for hosting servers and delivering emails. All third-party service providers with access to user data have been carefully selected to ensure a very high standard of security and reliability. Data is shared with these service providers exclusively to provide the Teamup calendaring service. No other use is permitted. All third-party service providers with access to user data are compliant with GDPR.
Full list of third-party service providers with access to user data:
a) To provide the Teamup calendar service:
- Amazon Web Services – Server hosting (ISO 27001, ISO 27017, ISO 27018, SOC 2)
- Filestack – Document upload
- Google – Traffic analytics (ISO 27001, ISO 27017, ISO 27018, SOC 2)
- MailChimp – Newsletter mailing (SOC 2)
- Datadog – Log aggregation and analysis (ISO 27001, ISO 27017, ISO 27018, SOC 2)
- Stripe – Payment processing (SOC 2)
b) To respond to Customers’ support requests:
- Help Scout – Help desk solution
- Google – Help desk archive and backup (ISO 27001, ISO 27017, ISO 27018, SOC 2)
5.3 Vulnerability Detection and Bug Bounty Program
- The logs of all systems are centrally collected and automatically analyzed for errors, warnings, security-related issues, and unusual traffic patterns. System engineers are automatically notified of any detected anomalies.
- At periodic intervals, automated penetration tests are performed by an independent company specializing in IT security.
- Once a year, a manual review and penetration test is performed by an independent company specializing in IT security.
- All system changes are peer-reviewed.
- Published CVE and other vulnerability disclosures are actively monitored and appropriate actions are taken.
- Teamup runs an active bug bounty program and welcomes reports from independent security researchers. Details of the program are outlined at https://www.teamup.com/bug-bounty/. Reported issues are reviewed within a day and mitigated as appropriate.
5.4 Event Logging
User actions that manipulate user data are logged and are made available to users to view and undo.
All Teamup API calls and application logs are centrally collected and kept for our internal purposes for at least 15 days and are available only for authorized employees as required by their role for monitoring to ensure service availability and performance and to prevent abuse.
5.5 Development, Patch, and Configuration Management
The following measures have been implemented to ensure a secure and timely development process, patch deployment, and configuration management:
- All changes to the Teamup production system, be they code or system configuration changes, are peer-reviewed before deployment to the production environment.
- Thousands of automated unit tests are run against all production code after every change to the code base.
- A static code analysis is run after any change to the production code. It analyses the code for security-related issues, unsafe programming practices, inconsistencies, and many other categories of weaknesses.
- All changes to Teamup’s code are tested in a staging environment before deployment to production.
- Patches to the Teamup server and clients are deployed on a rolling basis, usually several times per week.
- Teamup production servers are managed via a centralized configuration system.
- All Teamup system changes are peer-reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.
- We maintain separate lists of relevant roles with access to source code, development, staging, and production environments. These lists are reviewed periodically and upon role change.
- We use source code management tools and repositories.
- All production servers are running an LTS (Long Term Support) distribution of their operating system to ensure timely updates are available.
- CVE lists and notifications are actively monitored and any systems can be patched in a timeline relevant to the severity of the issue.
- A centralized configuration system is used for the management of production servers. This enables us to rebuild servers in a very short amount of time and when needed a patch can be deployed within hours of its availability.
5.6 User Support
Teamup operates a helpdesk at firstname.lastname@example.org.
Trained members of the Teamup customer support team have access to a support tool that enables them to
- Search, view, and edit user profiles.
- Search, view, and edit user calendars.
- Search and view payment information, including subscription status, billing address, and the payment history of a calendar.
Access to the user, calendar, and payment data is protected by the following measures and policies:
- Calendar data is accessed only in the context of a support conversation if the user asked for it and provides access details to the calendar.
- Access to calendar data is logged together with the related support conversation. The log is reviewed periodically to ensure appropriate access.
- Access to the support tool is protected by two-factor authentication.
5.7 Asset Management
Assets used to develop and provide the Teamup application service are managed based on the following principles:
- Teamup will maintain an inventory of assets
- Assets will have identified owners
- Acceptable use of assets will be identified, documented, and implemented.
- Personal assets will be returned to Teamup if employment is terminated.
6. Application Security
6.1 Login Security
Passwords for user accounts must meet these conditions:
- Minimum of 8 characters
- At least one letter is required (numbers only are not allowed)
- Not the same as the account username
- Not on the list of the 10’000 most frequent passwords
- Two Factor Authentication can be enabled
- Failed login attempts are rate-limited to 5 per minute
- A user can change their password in their profile: https://teamup.com/user/profile/edit
- A user can request a password reset email to the primary email address associated with the account
- Changing the password will end all logins on all devices. This same happens when Two-Factor-Authentication is enabled or disabled.
Passwords for anonymous calendar links must meet these conditions:
- Minimum of 8 characters
- After 10 failed long attempts, login is blocked for 15 minutes
For security reasons, a login session is automatically ended after 20 minutes of inactivity. If the “Remember Me” feature is activated, the login session is automatically renewed. The user is not prompted to enter the password again for one year.
Sensitive operations require the user to be recently authenticated. If the user did not recently authenticate, they will be prompted to enter the password before proceeding. Sensitive operations are for example changes to the user profile, the password, or the two-factor authentication.
Password complexity and session length requirements cannot be customized within the app.
6.2 Access Control
Teamup’s focus is on supporting the activities of groups by providing them a tool to share calendar information and collaboratively maintain calendar information. Towards that goal, Teamup supports very flexible schemes to control access to the calendar.
Access based on User Accounts
One option to provide users access to Teamup is to require them to log in using a user account. An email-based invitation feature supports the addition of new users. To enhance the security of accounts even further, it is possible to enable two-factor authentication for accounts. To help manage a large number of users with user accounts, Teamup supports the concept of user groups. User groups are particularly time-saving if multiple users share identical or similar permissions.
Access based on Secret Links
A second option to provide users access to Teamup is using secret links. Secret links are URLs that contain a long random string. They are sometimes also referred to as capability links. With secret link-based access, only users that received the secret link have access to the calendar. Secret links can be passwordless or require a password. The main advantage of secret links is that it is very easy for new users to get started.
6.3 User Permissions
Teamup supports granular control of access to the calendar:
- Control which sub-calendars of the calendar a user has access to.
- Control what operations can be performed on calendar appointments of visible sub-calendars. Supported operations are read-only, modify, add-only, edit-my-own, admin, and more.
It is possible to make a calendar publicly accessible by creating a secret link that is then shared publicly. If public access must be prevented, it is recommended to require a login to a user account to access the calendar or to protect secret links with passwords.
The user who creates a calendar automatically has administration permission to the calendar. Administration permission enables a user to configure and edit the calendar, invite other users to the calendar (including other users with administration permission), and delete the calendar.
It is not possible to limit access to Teamup based on the geographical location of the user or the IP address of the user.
6.4 Data Deletion Policy
At Teamup we believe that users own their data and should have the freedom to move between different calendar applications if they wish to do so. We provide tools to export and delete data hosted in Teamup.
Data Deletion Policy for Calendar Data:
- Calendar data can be deleted anytime by users with permission to modify a calendar. Teamup implements a soft-deletion feature. That means that deleted data is only marked as deleted but kept in the database for 30 more days. After 30 days, data marked as deleted is permanently removed from the database. The purpose of the soft deletion feature is to be able to restore accidentally deleted data. Restoral requests should be sent to email@example.com.
- An entire calendar can be deleted anytime by users with administration permission to the calendar. A deleted calendar is kept for 30 days in the database and then permanently removed from the database. Within the 30 days period, calendars can be restored on request by a user with administration permission. Restoral requests should be sent to firstname.lastname@example.org.
- The web client of Teamup supports an undo feature. For a few minutes after a change or deletion of an event, the change or deletion can be undone.
- Calendars on the free plan are automatically deleted after 2 years of inactivity.
Data Deletion Policy for User Accounts:
- Teamup users anytime have the option to delete their user accounts. A deleted user account is marked as deleted and kept for 30 days in the database. Within 30 days it is possible to request a restoral of the account. Restoral requests should be sent to email@example.com. After 30 days it is permanently removed from the database.
- Upon deletion of an individual user account, Teamup does not automatically delete the content that was created by that individual account in Teamup. For example, event data entered into a calendar will remain available to other users even if the account of the creator has been removed. The applicable calendar’s administrator would need to delete that content manually if this is required.
- User accounts may be deleted automatically after 2 years of inactivity.
Data Deletion Policy for Support Conversations:
- Support conversations are kept for at least 10 years. It is not possible to delete them.
- The Teamup database is backed up daily. The backup is stored off-site for 35 days. That means that data deleted from the database exists for another 35 days in a backup.
Data that cannot be deleted:
- In cases where Teamup has a legitimate business reason or a legal obligation, Teamup may keep user personal data. Some examples of this include records related to calendar subscription payments or data relating to litigation or other legal inquiry.
6.5 User Uploaded Content
Teamup is a general-purpose tool to plan, schedule, and coordinate activities and resources. It is applicable to a very broad range of use cases and has been explicitly designed to support any type of content users may choose to store within Teamup. The information collected in a Teamup calendar is not viewed, monitored or moderated in any way by Teamup.
Teamup offers its users tools to create calendars, configure calendars and invite users to collaborate using a calendar. A user who creates a calendar receives administration permission to the calendar. This creator is responsible to define the purpose of the calendar, invite other users to use the calendar, and ensure that the use of the calendar is compliant with applicable laws. The creator may delegate the administration of a calendar to other users.
7. Backup, Business Continuity, and Disaster Recovery Policy
7.1 Redundant Data Storage
User data is replicated in near real-time to multiple different database servers located in different data centers and in different geographical regions.
7.2 Backup Policy
User data is backed up once every day, encrypted, and stored off-site redundantly. Backup data is kept for 35 days.
Backups restoral is tested quarterly.
Files uploaded to Teamup as event attachments are not backed up on the same schedule and instead rely on Amazon S3’s internal redundancy mechanism, which according to Amazon AWS provides yearly data durability of 99.99%.
7.3 Recovery of User Data
Teamup implements a soft-delete mechanism. That means that when a user deletes calendar data, it is marked for deletion but not immediately removed from the database. Data marked for deletion is permanently removed from the database after 30 days. During that period of 30 days, Teamup support is able to recover accidentally or maliciously deleted data. Please contact firstname.lastname@example.org for details.
7.4 Data Portability
Teamup calendar data is available for export by calendar users in different formats:
- iCalendar format (all users)
- CSV format (calendar administrators)
- JSON format via the Teamup REST API (all users)
7.5 Business Continuity
The Teamup application has been designed to keep operating even if the underlying infrastructure experiences an outage or other significant issues. Every critical Teamup service has a secondary, replicated service running simultaneously with mirrored data in a different AWS availability zone than the primary server. Additionally, each Teamup database server has a replicated service running in a third availability zone with data that is mirrored in near real-time.
7.6 Disaster Recovery
Because it is critical to have reliable access to your business’s important data, Teamup has been architected to survive a single availability zone outage without significant service interruptions.
In the unlikely event that two Amazon EC2 availability zones have long-term service interruptions, Teamup has been designed to recover within 24 hours, and a maximum target data loss of a few seconds.
In the even more unlikely event that an entire AWS EC2 region is irrecoverably lost, we will restore servers using automated configuration systems. In this event, Teamup’s systems are designed to recover user data as quickly as reasonably possible, with a maximum target data loss of a few seconds.
7.7 Incidents and Response
A service problem impacting Teamup users will be assigned a severity level and handled according to the resolution in the table below:
Support with technical issues imparting the service usage.
|High||Teamup is not available or unusable||24h x 7days, work begins within 1 hour of the report.|
|Medium||Service is significantly degraded||24h x 7days, work begins within 4 hours of report|
|Low||Minor service issue||During business hours, best-effort resolution|
Support with configuration, usage, and billing questions.
|All plans||During business hours, within 3 business days|
|Enterprise||During business hours, within 1 business day|
8. Employee Policies
Any workstations used for access to the production environment and the support tools must be running an update-to-date and active instance of antivirus software.
8.2 Access to the Production System
Access to support tools requires the use of Two-Factor-Authentication.
Access to the production environment requires the use of ssh terminal connections using passphrase-protected personal certificates.
A password policy defines the required minimum password strength and mandates the use of a password manager.
Production data is never exported to a device outside of the production environment. An exception to this rule is the export of data for one particular user in the context of a support case and on request by the user.
Employee workstations are required to time out and lock after a maximum idle time of 10 minutes. We do not have a clean desk policy.
8.3 Security Awareness and Confidentiality
Security awareness and user data access policies are covered during our employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Furthermore, security awareness is periodically refreshed in training sessions.
Our employees also sign a confidentiality agreement.
In the event that a security policy is breached by an employee, Teamup reserves the right to determine the appropriate response, which may include termination.
8.4 Background Checks
All our employees undergo an extensive interview process before hiring. Our employees with direct access to the production environment undergo an extensive background check.
9. Maintenance Policy
9.1 Planned Maintenance
Due to the redundancy of the Teamup service infrastructure, it is almost always possible to perform maintenance in a way that does not interrupt the service.
In cases where a service downtime cannot be avoided, maintenance is scheduled on Sunday between 6:00 am and 8:00 am UTC.
It is not possible for us to customize the maintenance window, as our users are on a shared infrastructure. However, we’ve used this maintenance window extremely rarely—about once a year.
9.2 Unplanned Maintenance
Due to unforeseen events, we may have to infrequently perform unplanned maintenance on Teamup’s service infrastructure. This maintenance might cause some or all of the Teamup services to be inaccessible to our users for a period of time. Any unplanned or emergency maintenance that causes Teamup to be inaccessible will be announced on the Teamup status page at https://www.teamup.com/system-status/ As with planned maintenance, we do our best to minimize disruption caused by service outages.
10. Change Log
June 30, 2022: First version