Security

At TurboPatent, we take data security very seriously

We know that trust is at the core of your business. Clients trust you with their most precious intellectual property, and that trust is based upon keeping their property privileged and secure. Because clients trust you to protect their intellectual property, TurboPatent works tirelessly to ensure the security of customer data stored with us.

The information on this page is intended to provide transparency about how we protect that data. We have established a program of continual assessment and hardening of our security infrastructure and frameworks, and we will update this information as improvements are made.

Management’s Commitment to Security

TurboPatent’s security begins with a demonstrated commitment at the top levels of management to protect your data in the service. Our security team meets weekly to discuss existing controls and procedures and how to improve them.

The TurboPatent engineering team regularly conducts detailed, security-led assessments of our services and applications for vulnerabilities that could impact the security of customer data. The engineering team continually evaluates new tools to improve our security frameworks and infrastructure.

Data Security in Transit

All communication between TurboPatent client and servers is conducted through HTTPS. We support Transport Layer Security (TLS) 1.2. We allow only high-strength cipher suites to be negotiated, and we explicitly disable any protocols known to be insecure. All PKI Certificates use 2048-bit keys, in line with industry best practices. We also enable HSTS (HTTP Strict Transport Security) to protect clients from malicious actors who may attempt to downgrade security, and we support Forward Secrecy.

Data Security at Rest

All Customer Data on TurboPatent is stored encrypted at rest using industry-standard 256-bit AES.

Customer Data Access

We consider Customer Data to be private and take every precaution to prevent access to your data by our employees. Only a minimal number of our operations or administration staff may access customer data. It is our policy to never access customer data without explicit permission from the customer.

We periodically audit employee access to customer data, and we continually seek to minimize the situations where employees have the possibility to access customer data to prevent external or internal abuse.

Employees found abusing access to customer data will face immediate disciplinary procedures, including potential termination and legal action.

Activity Logging

TurboPatent performs server-side logging of client interactions with our services. This includes web server access logging, as well as logging for actions taken through our API. These logs also include successful and unsuccessful login events.

Scheduled Downtime

Very occasionally, we require service downtime to perform maintenance on our infrastructure. Scheduled downtime is very rarely longer than an hour.

Unscheduled Downtime

We make every attempt to prevent unscheduled downtime by building a robust system that is resilient to failures.

After any incident of unscheduled downtime, we will conduct a thorough investigation and put in place plans to avoid a similar event in the future.

ACCOUNT SECURITY

TurboPatent never stores your password in plaintext. We store account passwords using the PBKDF2 algorithm with a unique salt for each credential, as recommended by NIST 800-1321. PBKDF2 makes brute-force attempts and guessing passwords computationally infeasible, while the unique salts used for each credential render common pre-computational attacks such as rainbow tables completely ineffective.

TurboPatent’s web application uses session authentication for authorization. Session cookies can be accessed from HTTPS only (not HTTP or Javascript). Mobile and desktop clients use OAuth for authentication. Under no circumstances is your password stored in your browser or device.

PRODUCT SECURITY

At the heart of TurboPatent’s security is a robust application architecture that is designed from the ground up to protect your data.

Our security begins with selecting tools that have robust mechanisms to protect against common application security issues including CSRF, XSS, SQL injection, session hijacking, URL redirection, and clickjacking. We have a robust suite of tests to ensure code quality, and our engineers are educated on how to test and spot security errors.

TurboPatent’s client uses a well-defined REST API to access data within your account. An integral part of this API is a robust authorization layer that ensures only you can access your data. Authentication credentials (OAuth access token or session token) are checked on every object access.

In certain circumstances, clients access objects directly from Amazon S3. These objects are always accessed by HTTPS, and URLs to objects in S3 are protected by OAuth 1 signatures and are valid for only a short period of time after they were issued.

SECURITY INCIDENTS

In the event that a security breach has been identified, we will immediately work to prevent the breach. Once the breach is secured, we will begin an investigation as to the cause. We have external teams we work with to ensure a thorough, swift and unbiased investigation.

Security incident notifications will happen after the appropriate investigation, including to customers, business partners and law enforcement.

As with downtime incidents, we will put in place plans so similar incidents will not happen in the future.

PHYSICAL SECURITY

TurboPatent uses Amazon Web Services (AWS) as its sole cloud provider. AWS provides an ISO 2700 (NIST Special Publication 800-132) and SOC 2 compliant data center (AWS Compliance). TurboPatent stores data only on those AWS services that are covered by AWS’s ISO 27001 and SOC 2 certifications.

DATA LOCATION

All of TurboPatent servers operate in the AWS us-east-1 region, which is located in Northern Virginia (though some data in this region may be stored in the Pacific Northwest). All data (including backups) within an AWS region is isolated to that region, and AWS doesn’t replicate data automatically across regions (AWS Regions and Availability Zones).

We make it a priority to ensure that customer data is not stored or transferred across national borders.