User privacy and security is considered firstly in all our operational and engineering decisions, particularly when choosing commercial services to integrate with and provide highly specialized functionality to our product, like storing data and protecting user-provided meta data. Our infrastructure optimizes best-in-class services from Amazon Web Services (AWS), Heroku, GitHub and Google Firebase - each the clear leader among their peers. Turbine has no physical servers or data centers. Physical security practices follow the guidance of the Turbine Employee Security Program.
Turbine uses GDPR and CCPA compliant data controllers. All Data sent between you and Turbine is encrypted HTTPS traffic using TLS v1.2. Data is encrypted at rest using AES256 encryption and stored in data centers certified for compliance with the ISO 27001 standard. Turbine encourages customers to use their own Amazon Web Services account to store any file uploaded to Turbine. This is a server-side integration handled by Turbine engineers. Turbine follows the Let’s Encrypt and the ACME protocol make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
Access to user data is restricted. We require an organization owner give explicit permission to Turbine engineers or support staff not required to troubleshoot affected data or platform features. These actions are monitored.
Turbine follows a microservices architecture pattern and authenticates users with Google Firebase Authentication. A JWT token is generated with a server-side key and HMAC SHA256 encryption to enable Turbine Single sign-on (SSO). Client facing apps include auth.Turbine.com (Turbine Auth), app.Turbine.com (Turbine) and admin.Turbinelms.com (Turbine Admin). Specific user permissions are required to access each application. Turbine Auth and LMS are accessible by all users. Turbine Admin is accessible by organization (customer) owners, admins and users permissioned by owners and admins.
We require physical security of our machines, devices and passwords through use of 256-bit AES encrypted password management, two-factor authentication (2FA) authentication and regular security reviews of people and technology.