Security

Responsible disclosure program

At TopFunnel we embrace the security community and we operate a responsible disclosure program to facilitate security vulnerability reporting:

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@topfunnel.co. We will acknowledge your email within one week.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the TopFunnel service. Please only interact with domains you own or for which you have explicit permission from the account holder.

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of TopFunnel employees or contractors
  • Any attacks against TopFunnel’s physical property or data centers

Connections and hosting

TopFunnel is served over TLS only. All internal API calls and connections are also over TLS.

We use Amazon Web Serivces, AWS, and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. Please refer to Amazon’s SOC2 report for an in-depth audit report. Our databases are encrypted-at-rest; all data and backups are also stored encrypted at rest.

How we handle credentials

All user tokens are encrypted with 256-bit AES, widely considered to be amongst the top ciphers. Keys are rotated the soonest of the following events: monthly, employee attrition, a suspicious activity report. TopFunnel immediately encrypts tokens upon receipt. They are never stored or transmitted in the clear.

Data we collect

We store email data, and we integrate with ATSes, such as Greenhouse, for which we store ATS users, ATS candidates, and ATS jobs.

We access the least email data that we need. For emails that are generated by TopFunnel, those message bodies can be seen internally. Access to raw headers is limited to the production devops team.

For emails that are generated by TopFunnel we store the full message body. For these messages we use the full body to tune our emails. For all other emails, we store the metadata (headers) only. We never access or store the body or attachments of these emails.

Recipient and sender headers are saved so that TopFunnel can protect your brand when a user tries to contact someone that the team has previously contacted.

Additional message headers such as message IDs, are used to detect replies to messages. This helps TopFunnel report on performance metrics like raw activity and response rates, as well as control follow up messages.

Miscellaneous

We have a mandatory security policy in force for all employees. More specialized security policies apply at the department level.

For production access, our admin team is required to enable 2FA and use a strong, random password stored inside a password manager. Historical encryption keys are stored in a shared admin password vault.

No employees other than the devops production team can see customer data. All access to customer data is logged. Production data never leaves its environment, not even for development. Customer data is never stored on laptops, which are required to be encryped. TopFunnel orders grey box, open code assessments (penetration tests), both for vulnerabilities and secure coding practices, twice per year.

All code requires mandatory peer review and automated security review.

TopFunnel is in the process of an SOC2 Type I compliance audit. We also run a responsible disclosure program for security researchers.

Our entire engineering team is involved in security. Our CEO takes all security matters personally. Email to security@topfunnel.co will alert all engineers, and the CEO.

TopFunnel will make application and database logs available in the case of a security incident via RESTful API.