3TO hosts all its software on Microsoft Azure Cloud. Azure provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001. See Azure's compliance and security documents for more detailed information. All of 3TO's servers are located within 3TO's own virtual private network (VPN), protected by restricted security groups allowing only the minimal required communication to and between servers. 3TO conducts third-party network vulnerability scans at least quarterly.

3TO continuously monitors 140+ security controls across the organization using Drata, a security and compliance automation platform. Automated alerts and evidence collection allow 3TO to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

All connections to 3TO are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit. System passwords are encrypted with restricted access to specific production systems. We use industry-standard data storage systems hosted in Azure. Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the Azure production system is restricted to authorized personnel. 3TO Customers may configure a data retention duration, and Customer data is purged from 3TO systems subsequent to contract termination.

3TO's security policies are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities. Our policies are audited annually as part of its SOC 2 certification. Code development is done through a documented Secure Development Life Cycle process. Design of all new product functionality is reviewed by its security team. 3TO conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. 3TO development and testing environments are separate from its production environment. Engineers participate in annual secure code training covering OWASP Top 10 security flaws, common attack vectors, and 3TO security controls. Vulnerability Disclosure Process – 3TO considers security to be a core function of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest security standards.

Web application architecture and implementation follow OWASP guidelines. In addition to 3TO's extensive testing program, we conduct application penetration testing by a third-party at least once per year. 3TO enforces Azure AD Multi-Factor Authentication (MFA) to safeguard access to customer data and all applications. Audit logging lets administrators see when users last logged in and what features they used.

All access to 3TO applications is logged and audited. Logs are kept for a least one year and 3TO maintains a formal incident response plan for major events, including appropriate user notification.

If you have discovered a security issue that you believe we should know about, we would love to hear from you. Please reach out to us at security@3topt.com and let us know.