Security Overview

 

Date: April 11, 2025

 

Tyfoom has implemented policies, controls and documentation that address the security and governance of our platform and user data. This includes and addresses: Asset Management and Access Control; Business Continuity and Data Backup; Data Security, Retention and Disposal; Information Security; Risk Management; Application Security; Physical Security; Change Management; Security Incident Management; Vendor Management; and Vulnerability Management.

Tyfoom collects and processes the the following information: employee name, email, phone number and data collected in the course of using the app, including the number of videos watched, completed training, quiz scores, etc.

Administrator access has MFA and complex passwords built into the app. Admin access supports MFA and complex passwords. Tyfoom supports OpenID Connect for all users and admins.

All systems are cloud-based and require MFA/2FA to access. We do not use a VPN, and we adhere to zero-trust security principles. Tyfoom’s development team performs security testing and code review prior to moving any new code into the production environment.

Tyfoom adheres to NIST 800-171 principles. We also adhere to SOC II requirements and controls. Tyfoom service providers and sub processors manage their various aspects and will notify of abnormalities in accordance with their policies. Tyfoom is hosted on Heroku, Amazon S3 and AWS which are ISO27001, 27017, 27018 and ISO 9001 compliant. AWS is independently audited using the industry standard SSAE-18 method, and data center operations have been accredited under SOC 1 and SOC 2, SOC 3, SSAE 16/ISAE 3402; PCI DSS Level 1; FISMA Moderate; Sarbanes-Oxley (SOX).

All Data is encrypted. Only client Administrators and designated Tyfoom personnel have access to employee names, phone numbers, email addresses, and data collected in the course of using the app, including the number of videos watched, completed trainings, quiz scores, etc. Admins should add or remove employees for onboarding and termination. Information is not shared with third parties. See Tyfoom’s privacy policy at www.tyfoom.com/privacy-policy.