ThoughtFarmer offers industry leading security & privacy protection. Whether you choose self-hosted or cloud, you can be confident that your data is safe with security practices designed to defend against the highest levels of threats.
In addition, ThoughtFarmer Cloud is hosted in a ISO 27001 and SOC II Type 2 certified hosting facility
ThoughtFarmer provides two deployment options: Cloud and on-premise. ThoughtFarmer Cloud is monitored and optimized for fast speeds and high concurrency and ensures customers get up and running quickly. We also take care of upgrades, during a scheduled time that works for your organization.
For customers in highly regulated industries, the decision might already be made to host on premise. ThoughtFarmer’s server requirements are pretty light. We’ve worked hard to optimize our software so that it runs well on an average server – view our technical requirements.
ThoughtFarmer undergoes regular third party audits of the security and risk management capabilities of its systems, processes, and processing environments. The following third party audit reports are available for review under NDA:
ThoughtFarmer Third Party Assurances
Data Center Third Party Assurances
Safeguarding customer data is the most important thing we do. Our security practices were designed to defend the highest threats and vulnerabilities. From our leadership team to each individual employee, everyone at ThoughtFarmer is committed to the security and confidentiality of your data assets.
Sensitive data is only accessible to the right people within your organization. You can set “view” and “edit” permissions at the section, page, and file levels. Pages that users don’t have access to are completely hidden while browsing and searching.
ThoughtFarmer was designed with role-based access controls with prescribed privilege levels for users. These rules ensure that only explicitly assigned users have access to specific pages/data. Any actions within ThoughtFarmer are automatically checked against existing access controls which defend the data assets; if the user does not have access privileges, the data is unavailable until the user is granted such privileges by the customer.
Control outside-the-office security privileges with IP Filtering. Allow employees to access the intranet from home, while restricting access to secure content for users accessing via on-premise IP ranges.
Following coding and quality assurance best practices, as well as the utilization of SAST DAST tools, ThoughtFarmer is security hardened against a wide variety of common web application vulnerabilities, including the top 10 defined by OWASP.
ThoughtFarmer’s development staff are trained in a secure software development lifecycle. Automated testing is used to ensure regressions do not appear, and static code analysis is performed to ensure the software is as secure as possible. ThoughtFarmer also participates in a peer view process, a critical review of code to ensure it is understandable, well-documented and efficiently written.
Only the members of the ThoughtFarmer development team have permission to retrieve and submit changes to the source code. All access to the source control system is encrypted, access-controlled, and subject to regular internal audit.
ThoughtFarmer is configured by default to keep the user’s sessions private and secure. Once a user successfully authenticates to the ThoughtFarmer application, a session is established on the server. Sessions are invalidated when a user closes their web browser, or if they explicitly log out of the application.
Our software runs fully in the browser and no plugins are required. If you’d like to use our optional direct document editing feature, users will need to install the ThoughtFarmer Desktop Connector, a helper utility that runs on Windows and MacOS computers.
ThoughtFarmer works best with modern, evergreen browsers like Chrome, Firefox, Safari and Microsoft Edge. We currently support IE11 but strongly recommend modern browsers.
ThoughtFarmer provides a broad range of options for managing user accounts and permissions. We recommend using cloud based identity providers but we also provide full support for authenticating against on-premises Active Directory.
Leverage your investment in your existing cloud-based authentication service with ThoughtFarmer. We integrate with every major SAML provider, including Azure AD, G Suite, OneLogin, OKTA and Ping Identity. We support multi-factor authentication with third party providers, and can be configured to use more than one provider for complex deployments. Are you working with a different authentication provider? If it’s SAML based, chances are good that it will work with ThoughtFarmer.
ThoughtFarmer can integrate with your on-premises Active Directory via our Employee Directory Connector (EDC). It supports multiple AD domains, and can be configured to use Windows Integrated Authentication for automatic login.
ThoughtFarmer’s bi-directional directory synchronization keeps groups, profile pictures, security profiles, and employee contact information up to date across systems. Simplify user provisioning and deprovisioning with on-demand and scheduled sync that includes user profile fields as well as group and security membership.
If you use password expiry policies with Active Directory, your users can change their password directly from the intranet – perfect for Mac and remote users. We also support ThoughtFarmer only accounts. For account credentials stored in ThoughtFarmer, ThoughtFarmer requires strong passwords by enforcing a secure password policy. Passwords are stored using a secure one-way hash algorithm and stored in the database.
ThoughtFarmer Cloud is SOC 2 Type I compliant and subject to rigorous third-party network vulnerability scans, intrusion detection monitoring, and penetration tests. All customer data is backed up regularly. ThoughtFarmer also replicates to an offsite disaster recovery location to ensure continuity and redundancy. Security is baked into the development process from the start by using a secure software development lifecycle.
The hosting environment is fronted with a load balancer and network firewall configured in deny-all mode by default. The only inbound ports open to the Internet are TCP 80 and 443 for http and https communication with the web server, respectively. All requests to TCP 80 are redirected programmatically to TCP 443; unencrypted sessions are never allowed. The firewall and WAF rules are reviewed regularly and updated as threats and risks evolve.
ThoughtFarmer is committed to ensuring privacy, and security through the managed use of encryption technologies for data in transport and at rest. Weak cipher suites and ciphers with known cryptographic vulnerabilities are prohibited, with all key sizes enforced at a minimum of 2048 bits. Signature algorithms must be SHA256 or stronger (or equivalent strength hashing algorithm).
All data transferred between a user’s machine and application servers uses an encrypted connection. ThoughtFarmer network encryption is based on a 2048-bit SSL certificate and 256-bit encryption with TLSv1.2 & TLSv1.3 protocols allowed with the “MEDIUM” and “HIGH” class of cipher suites. If a user tries to visit a non-encrypted (“http://”) URL, they are redirected to the “https://” equivalent to force the encrypted connection at all times.
All data stored is encrypted using Adaptec MaxCrypto™ technology. MaxCrypto™ ensures that customer sensitive data is encrypted and protected by secure 256 bit AES, in-line encryption. As soon as the unique maxCrypto™ key associated with a specific controller is removed, data is unreadable. All data at rest on the entire cloud platform is encrypted using 256 XTS-AES encryption.
ThoughtFarmer deploys a Unified Security Gateway with Advanced Threat Protection in front of the ThoughtFarmer application which protects the web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. Multi-Layer Protection from Intrusion Detection and Intrusion Prevention Systems (IDS/IDP) installed on the Unified Security Gateway blocks malicious and suspicious traffic, ensuring well being of the cloud network at the router level. Cloud Intelligence identifies every incoming threat so the Cloud Threat Database keeps learning, evolving, and growing stronger after each attack. Cloud Intelligence extracts top ranked threat information and gives cloud firewalls constant updates. This global sharing synergy empowers firewalls to prevent hidden threats.
The production web application server and database server application processes run under low-privilege user accounts rather than the administrator account. Authentication into the production environment requires a VPN with two factor authentication and is limited to the technical support and systems administration teams.
ThoughtFarmer deploys and manages a log aggregation and analysis platform to monitor the production environment for deviations from baseline behavior and detect security risks before they can activate and propagate. “High” and “Critical” alerts are reviewed and actioned immediately, while non-CVE “Medium” alerts are reviewed through regular review meetings.
ThoughtFarmer uses a standard hardened server image in the hosting environment. The image includes a strong security configuration by default. In addition, standard industry best practices are employed to harden this server image, including, but not limited to, the following:
Additionally, Defense Information Systems Agency (DISA) has a set of security regulations to provide a baseline standard for Department of Defense (DoD) networks, systems, and applications. We follow the DISA STIGs where possible. These STIGs (Security Technical Implementation Guides) help guide our network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and physical security.
ThoughtFarmer updates its server images to apply the latest security and hotfixes for the operating system and application software. Patching is scheduled by issue criticality, with “Critical”, “High”, and “Medium” patches seeing fixes within industry-standard mitigation times. Occasionally a reboot is required, which is done during the scheduled maintenance window.
ThoughtFarmer operates data processing environments in: Vancouver, Canada and Seattle, USA. The data centers feature high-output cooling, fail-safe power systems, and fire suppression technology. Each location features the highest level of security, complete with bulletproof doors, mantraps, CCTV monitoring and advanced card-access requirements.
When a customer organization is first set up in ThoughtFarmer, we assign them to the processing jurisdiction of their choice. Once selected, all processing including backup storage for that organization will occur within that jurisdiction.
ThoughtFarmer uses both internal and external monitoring solutions to check the health of its systems. When monitoring agents identify a suspicious event, appropriate security team members are notified in real-time via email, secure chat, or text notifications.
ThoughtFarmer business resiliency program covers security incident response, operational incident response, disaster recovery, and business continuity. These plans are tested semi-annually, with full review and update cycles occurring annually.
ThoughtFarmer performs a full database backup nightly, 15-20 minute staggered differentials on a physically separate server, disk redundancy, and daily offsite backups with an annual retention for monthly backups. Our cloud hosting service level agreement includes 100% guaranteed uptime for network and infrastructure with credits for unscheduled downtimes. Recovery can be initiated from the daily backups (which run over a monthly period) or the monthly backups (which are kept for a year).
ThoughtFarmer has a robust and configurable error logging system that logs both internally to the application, database, file and external network logger on the server.
ThoughtFarmer has an internal privacy and security team that runs our comprehensive and robust privacy and data protection program.
This team handles:
ThoughtFarmer fully complies with all relevant data privacy requirements under EU General Data Protection Regulation (GDPR) regulations.
ThoughtFarmer fully complies with all relevant data privacy requirements under California Consumer Privacy Act (CCPA) regulations.
Have a question about our security?
Beginning your intranet journey is both exciting and daunting. Take it one step at a time by starting with the basics
Find out how ThoughtFarmer helps empower employees to share information and celebrate success.