Security at 3TO

Our focus on security & trust

Data protection is vital for every business. At 3TO, we combine enterprise-grade security features with comprehensive audits of our applications, systems, and networks to ensure your data is protected.

Security Certifications & Compliance

3TO conducts a variety of audits to ensure continuous compliance with industry standard best practices.

3TO has obtained a SOC 2 Type I attestation report by an independent auditor, with Type II in progress. This objectively certifies our controls to ensure the continuous security of our customers' data.

The SOC 2 audit uses the Trust Services Criteria developed by the Assurance Services Executive Committee (ASEC) of the AICPA. They are used to evaluate the suitability of the design and operating effectiveness of 3TO's controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed.

Data Center and Network Security
3TO hosts all its software on Microsoft Azure Cloud. Azure provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001. See Azure's compliance and security documents for more detailed information. All of 3TO's servers are located within 3TO's own virtual private network (VPN), protected by restricted security groups allowing only the minimal required communication to and between servers. 3TO conducts third-party network vulnerability scans at least quarterly.
Security Controls
3TO continuously monitors 140+ security controls across the organization using Drata, a security and compliance automation platform. Automated alerts and evidence collection allow 3TO to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
Data Security
All connections to 3TO are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit. System passwords are encrypted with restricted access to specific production systems. We use industry-standard data storage systems hosted in Azure. Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the Azure production system is restricted to authorized personnel. 3TO Customers may configure a data retention duration, and Customer data is purged from 3TO systems subsequent to contract termination.
Security Policies
3TO's security policies are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities. Our policies are audited annually as part of its SOC 2 certification. Code development is done through a documented Secure Development Life Cycle process. Design of all new product functionality is reviewed by its security team. 3TO conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. 3TO development and testing environments are separate from its production environment. Engineers participate in annual secure code training covering OWASP Top 10 security flaws, common attack vectors, and 3TO security controls. Vulnerability Disclosure Process – 3TO considers security to be a core function of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest security standards.
Application Security
Web application architecture and implementation follow OWASP guidelines. In addition to 3TO's extensive testing program, we conduct application penetration testing by a third-party at least once per year. 3TO enforces Azure AD Multi-Factor Authentication (MFA) to safeguard access to customer data and all applications. Audit logging lets administrators see when users last logged in and what features they used.
Application Monitoring
All access to 3TO applications is logged and audited. Logs are kept for a least one year and 3TO maintains a formal incident response plan for major events, including appropriate user notification.
Report an Issue
If you have discovered a security issue that you believe we should know about, we would love to hear from you. Please reach out to us at security@3topt.com and let us know.

To schedule a product
start with us, please
fill in your contact details.