Company

Security

Introduction

Top Hat takes the protection of user data security extremely seriously and we have numerous technical and operational measures in place to ensure that user data remains safe. We’re committed to being transparent about our security practices and helping users understand our approach.

ISO 27001 Certification

Top Hat has achieved ISO/IEC 27001:2022 certification, the internationally-recognized standard for information security management. This certification demonstrates our commitment to protecting user data through a comprehensive set of information security controls that are regularly audited by an independent third party.

Our certification covers the management of information security for the protection of user data in Top Hat and Aktiv SaaS platforms and reflects our ongoing commitment to maintaining the highest standards of security for our users’ data.

Our Security Philosophy

Top Hat’s approach to security is built on three core principles:

  • Confidentiality: Ensuring that information is accessible only to authorized individuals
  • Integrity: Maintaining the accuracy and completeness of information and processing methods
  • Availability: Guaranteeing that only authorized users have access to information when needed

These principles inform every aspect of our Information Security Management System.

Our Information Security Management System

Top Hat maintains a comprehensive Information Security Management System (ISMS) that provides a systematic approach to managing sensitive company and user data. Our ISMS includes:

  • A risk assessment methodology that identifies and addresses security threats
  • A Statement of Applicability that documents applicable security controls
  • Regular management reviews to ensure continual improvement
  • Internal and external audits to verify compliance with ISO/IEC 27001:2022 standards

Risk Management

Our security program begins with thorough risk assessment processes that identify, evaluate, and prioritize potential security threats. This includes:

  • Regular threat modeling and vulnerability assessments
  • Comprehensive risk treatment planning
  • Implementation of appropriate security controls
  • Continuous monitoring and reassessment

Continuous Security Improvement

Our security program is constantly evolving to address new threats and technologies:

  • Regular internal and external security audits
  • Periodic penetration testing by independent security firms
  • Security awareness training for all employees
  • Continuous monitoring of security controls effectiveness

Organizational Security

Personnel Security

Top Hat’s security practices apply to all members of staff, independent contractors, and anyone with direct access to our internal systems and/or unescorted access to Top Hat’s office space. Before gaining initial access to systems all employees must agree to confidentiality terms and pass a background screening.

Upon termination of employment at Top Hat, all access is removed immediately.

Security Policy Framework

Our information security policies form a comprehensive framework that includes:

  • Information Security Policy
  • Access Control Policy
  • Data Protection and Privacy Policy
  • Risk Management Policy
  • Business Continuity Policy
  • Incident Response Policy
  • Acceptable Use Policy
  • Cryptographic Control Policy
  • Secure Development Policy

Top Hat adheres to the principle of least privilege: employees are given access only to the data that they must handle in order to fulfill their current job responsibilities. Employees are granted access to a small number of internal systems upon hire, but any requests for additional access must be approved by the system owner or their direct manager.

Where possible, Top Hat employs multi-factor authentication for administrative access to systems containing any sensitive data.

Security Incident Response

Top Hat has documented policies and procedures including step-by-step guides for responding to security incidents. All incidents are managed by our production operations team, who classify them according to severity and determine steps required for remediation. These procedures are reviewed and updated annually.

Disaster Recovery and Business Continuity

Top Hat has disaster recovery and business continuity plans that are reviewed and revised annually. We use services provided by our hosting provider to distribute our production operations across four separate physical locations, and to provide redundant power and network connectivity. Top Hat also stores backups in a separate location more than 500 kilometers (310 miles) from our primary operating environment.

All production database instances have streaming backups via database replicas in addition to daily full snapshots. These backups are stored in a separate AWS account which is protected by a multi-factor authentication token available only to a limited number of executive staff. File backups are streamed continuously to the same backup account for disaster recovery purposes. All backups are encrypted with separate keys from the original production data and are stored in a different geographical region. Top Hat performs backup restoration drills at least annually to verify the process and ensure that we can recover quickly in case of disaster.

Third Party Service Providers

Top Hat uses third-party providers for some aspects of our operations. Where those organizations may impact the security of our production environment or user data, we take appropriate steps to ensure that Top Hat’s security posture is maintained. Top Hat establishes agreements with all third-party providers that require them to adhere to the security and confidentiality commitments we make to our users.

Threat Intelligence

Top Hat maintains an active threat intelligence program to stay ahead of emerging security risks, including:

  • Subscription to industry-leading threat intelligence feeds
  • Regular security bulletins and advisories for internal teams
  • Participation in industry security groups
  • Proactive monitoring for new vulnerabilities affecting our technology stack

Security Operations

All access to production systems is logged and monitored by Top Hat’s operations team. We review and approve each request for elevated access in the production environment to ensure that it meets a legitimate business need, and this access expires automatically. Additionally, any direct system access to production servers requires a private key that has been countersigned by one of our administrative users. Top Hat’s operations team provides 24/7 support through our on-call rotation and we have several dozen alarms in place to ensure that all systems are operating as expected.

Physical Security

Top Hat infrastructure is hosted on Amazon Web Services (AWS). The AWS data centers are equipped with multiple levels of physical access barriers, including:

  • Alarms
  • Outer perimeter fencing that is crash-rated for vehicles
  • Electronic access cards
  • Video surveillance
  • Internal trip lights

For more information on AWS security processes, see this website. No Top Hat employee has physical access to any AWS data centers, servers, networking equipment, or storage.

The Top Hat offices are access controlled by electronic access cards, and all employees are required to wear identification badges at all times in the office.

Technical Security Measures

Data Protection

All Top Hat data in transit over public networks uses strong encryption. This includes any and all data transmitted between Top Hat clients and servers. Top Hat systems support the latest recommended secure cipher suites and only allow encrypted traffic from clients.

Data at rest is encrypted using FIPS 140-2 compliant encryption standards. This includes all relational databases, file stores, backups, etc. Keys are generated using Hardware Security Modules and are never stored alongside any other user or Top Hat data.

Top Hat divides systems into separate networks to ensure that user data is kept separate from test and development data. Systems intended for testing and development activities are hosted in a separate network segment and managed in a separate AWS account. Any user data submitted to Top Hat is only permitted to be stored in our production environment. Administrative access to the production environment is limited to engineers and support staff with a specific business need.

Access to Top Hat’s production environment is severely restricted. Most systems are only accessible via dedicated load balancers on ports 443 or 80 and application servers are all given private, non-routable IP addresses.

Secure Development Lifecycle

Any and all changes to Top Hat’s production code or infrastructure are subject to code review. Top Hat’s application servers are launched from known-good images which are updated frequently with the latest code and operating system patches. All configuration changes are performed via a configuration management tool and reviewed via the same process as our application code. Top Hat also employs dependency vulnerability monitoring to ensure that third-party code we rely on does not contain any known security vulnerabilities.

Responsible Disclosure

Top Hat is committed to staying up to date with the latest security techniques and maintaining a collaborative relationship with the security community. If you believe you have discovered a security vulnerability in a Top Hat application, please contact us at security@tophat.com. When you send an email to this address, we will share our Vulnerability Disclosure Program Policy, which outlines the scope, guidelines, and expectations for responsible reporting. Please review this policy before you submit your report to ensure that it is handled efficiently and in accordance with our procedures.

We investigate all legitimate reports and take necessary steps toward resolution on a case-by-case basis. Thank you for helping us keep our systems secure.