Encrypting data in transit
All traffic to Teamleader passes through an SSL-encrypted connection, and we only accept traffic through port 443. A report of our SSL configuration can be found here.
During a first website visit, Teamleader sends a Strict Transport Security Header (HSTS) to the user agent, ensuring that all future requests will be made via HTTPS. Even if a link to Teamleader is specified as HTTP.
AWS security practices
Teamleader uses Amazon Web Services (AWS) to store user data. These servers undergo recurring assessment to ensure compliance with the latest industry standards, and continually manages risk. By using AWS as our data center, our infrastructure is accredited by:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- C5 Operational Security
- ENS High
More information about AWS security can be found here.
Password policy and storage
To access Teamleader, you need to provide a strong password of at least 6 characters. We do not store these user passwords in plain text, we only store one-way encrypted password hashes using open source audited Bcrypt, including a per-user-random-salt. This protects users against rainbow table attacks and encrypted password matching.
If users enter incorrect passwords multiple times in a row, the account will be temporarily locked to prevent brute-force attacks. To protect account access further, users can activate Two-Factor Authentication using Google Authenticator or Authy through the user account security settings.
Request throttling and tracking
We block requests originating from known, vulnerable IP addresses or ranges.
Requests that originate from the same IP are throttled and rate-limited to avoid potential misuse.
XSS and CSRF Protection
To block Cross-Site Scripting Attacks (XSS), all output is escaped by default in our back-end application before hitting the browser potentially causing XSS attacks. We avoid using returning raw data, as this could potentially cause unwanted data to be sent to the browser.
Our application blocks requests that do not originate from our own domain(s), to help reduce the risk of Cross Site Request Forgery (CSRF) attacks; For important actions, we also use CSRF-tokens.
Ethical hacking program
We’ve set up an ethical hacking program in close collaboration with Intigriti.com. As we speak, a group of independent security specialists are continuously testing the security of our application, which helps us spot and eliminate potential weaknesses.
Our team uses strong, unique passwords for Teamleader accounts and has set up Two-Factor Authentication for each device and service they use. All Teamleader employees are encouraged to use password manager software (LastPass, 1Password, …) to generate and store strong passwords.
We also make sure to encrypt local hard drives and enable automatic screen locking. All access to application admin functionalities is restricted to a select group of people.