Security

Security at Trail

Trail has the responsibility of storing very confidential information about people's assets and finances. We take great care to ensure that our security measures are sufficient for this sensitive task.

In this document we highlight our key security practices which we feel provide the most value to our clients.

Compliance & certifications

• Trail is certified under the ISO 27001 cyber security standard. This certification shows that we maintain our Information Security Management System (ISMS) to an internationally recognised level.
  - To see our certificate.
  - To read more about ISO 27001.
• We are compliant with the Privacy Act 2020. We are committed to transparency of the security processes we use to protect your data.
• We understand the new requirements under the FSLAA. We retain your data for a minimum of 7 years for audit purposes. We can also provide extra services to help you manage your regulatory compliance.

Acceptable use

Information assets can only be used in ways which ensure the integrity and safety of data and operational systems.

• We try to avoid disruptions. Activities that interfere with other users, create a security risk, or break the law are prohibited.
• The software we use is secure. Software installed on computers by employees must first be approved.
• We stay on top of malware. We make sure our software is always up to date to patch security exploits.

Product infrastructure

We use industry leading cloud infrastructure to keep the information you store in Trail secure.

• Microsoft hosts our products. Our software and your data is hosted through Microsoft Azure. Azure has a long list of data security certifications and extensive physical security.
• Your data is stored in Australia. While Azure provides hosting all over the globe, our primary data centre is in Eastern Australia.
• Your data is encrypted at rest and in transit. Our database is protected with encryption and our service doesn't allow non-HTTPS traffic.
• Our infrastructure is protected by a firewall. We require special network access to administrate our servers and software in addition to other credentials.
• Our infrastructure is scalable. When demand is high our service can acquire more computing resources to remain responsive.
• Administrative actions are logged. We are able to see what administrators access or change on Azure.

Information classification & handling

Trail has a robust policy for classifying information such that it can be handled appropriately.

• We assign all our data a level of sensitivity. Each level has progressively stricter requirements for security.
• Our storage and transferal methods meet each level's requirements. We adapt our business processes to fulfil the security requirements of the information we are handling.
• We follow a due diligence process. We calculate a security score for every service we use. We use this score to decide what information can be stored on the service.
• Your data is the highest level of sensitivity. When handling your data we require 3 different factors to authenticate ourselves.

Data security & loss prevention

Trail CRM is a cloud service and relies heavily on other cloud services. This means that the integrity of our data is outsourced to dependable companies like Microsoft and Google.

• The data you store in Trail is backed up regularly. We schedule automatic database backups to mitigate the unlikely event of loss or corruption. These backups are stored in a different part of Australia.
• Ransomware attacks are mitigated through cloud storage. We don't rely on local storage for important information. All our data is backed up with version history.
• DDoS attacks are mitigated through Azure. Microsoft has infrastructure capable of withstanding DDoS attacks.
• We encrypt our devices to secure the information on them. Information on our devices is unreadable without their decryption keys, even if they are stolen by a sophisticated party.
• We only use websites that serve HTTPS. Our web browsers prevent us from visiting websites that don't meet web security standards.

Passwords & authentication

At Trail we closely follow NIST guidelines for internal password protection. Protection of our own passwords is important for maintaining the security of the infrastructure that stores and transfers your data.

• We use a password manager. Our password manager generates, stores and distributes our passwords for us. There are only a few circumstances were we need to create and remember a password ourselves.
• We never reuse passwords between services. Randomly generating passwords means this is very rarely a problem.
• Our passwords are secured with zero knowledge encryption. They can only be decrypted by someone who possesses the correct master password, which isn't known to our provider.
• We use Two Factor Authentication (2FA) whenever possible. Where possible we also enable additional authentication methods depending on the service.
• You can enable 2FA for yourself on Trail. A recent update now allows you to set up 2FA for your account, which we highly recommend.

Incident management

Security incidents are managed through a standard process that allows us to use incidents as an opportunity to improve the business.

• We treat security vulnerabilities seriously. We speculate the impact of a vulnerability before it is exploited. This helps ensure that the weaknesses are never left unactioned before it is too late.
• Incidents have extensive assessment criteria. We are able to effectively assess the impact of an information security incident to parties involved
• Transparency is a part of the process. In compliance with the Privacy Act 2020 we report information security incidents to affected parties.
• We have a no blame security culture. Employees are encouraged to report security incidents with a reasonable expectation of impunity

Personal security

We have multiple policies that ensure that we maintain a good level of personal security.

• We all abide by our clear desk and screen policy. We make sure our work spaces never have unattended sensitive items, including unlocked computers, phones, flash drives and keys.
• We connect to a Virtual Private Network (VPN) when working remotely. Some of our services have firewall rules that require us to be physically at the office or connected to the VPN. It also provides us with extra security when using less secure networks.
• Not downloading data is encouraged. We prefer to interact with business data through cloud services like Google Docs. This prevents information from being permanently stored in unnecessary locations.

More information

For more information you can send us a message to support@gettrail.com or through Intercom. You can also take a look at our privacy policy.

Reporting security issues

If you want to report a security issue with our software please send an email to developer@gettrail.com. You can also view our security.txt file, which contains a link to our public PGP key.