#community-help

Discussing Typesense Cloud Security and SOC Certifications.

TLDR Pradyuman questioned the security practices of Typesense. Kishore Nallan explained their practices but noted the lack of external auditing. Pradyuman recommended auditing tools and Jason agreed to consider them and to discuss their system's security over a call.

Powered by Struct AI

1

7
26mo
Solved
Join the chat
Nov 27, 2021 (26 months ago)
Pradyuman
Photo of md5-ac5d64b63e48fd1a3cf936c3e2221a2c
Pradyuman
05:21 AM
How do you think about security for Typesense Cloud? Are you working towards SOC certifications and/or having better documentation about your internal infrastructure security and pentest cadence (e.g. https://www.algolia.com/distributed-secure/security-compliance/)?

We'd like to use a hosted version of Typesense if possible, but we'll be indexing PII and need to have confidence that there isn't significant risk of a data breach on your end.
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
05:28 AM
Is SOC-2 an end-user requirement or you are looking for SOC-2 like cadence in terms of practices we follow?
05:31
Kishore Nallan
05:31 AM
Here are some of the things we already follow in view of security but we need to document this:

a) Every Typesense cluster runs on isolated infrastructure so every customer's data is isolated
b) Data is encrypted at rest on disk
c) Machines have SSH disabled
d) SSO based login (Github auth)
05:33
Kishore Nallan
05:33 AM
We have been part of SOC-2 compliant teams and processes in our previous jobs (including experience handling PCI data) so we're already checking most of the boxes in terms of best practices, but it SOC-2 requires an external auditing process and we have not prioritised it at the moment.
Pradyuman
Photo of md5-ac5d64b63e48fd1a3cf936c3e2221a2c
Pradyuman
07:03 AM
It's not a requirement to be audited, although it would be great-- tools like Secureframe make it pretty easy to get audits nowadays (within 2-4 weeks if your internal processes are generally up to par).

For us, it's more just generally being comfortable with your security practices so we can feel confident there's not a risk of a data breach. So any documentation on that front would be super great (alongside any information regarding pen test cadence / bug bounty program). I'm happy to chat through this briefly on call too if you don't have official documentation yet. As long we're comfortable with the current state of the system and you have a path towards a more comprehensive and well documented program, that will probably be sufficient for us at the moment.
07:06
Pradyuman
07:06 AM
For reference, these are a couple of the tools startups today use for SOC / ISO compliance.

Secureframe: https://secureframe.com/
Vanta: https://www.vanta.com/

We've used both and have gotten completed audits within 4 weeks (happy to make referrals to auditors if this is something you're interested in).

1

Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:26 AM
Pradyuman SecureFrame and Vanta look interesting! Will look into it further.

For now, we don’t have this documented anywhere but happy to talk you through our practices over a quick call. Will email you with my availability.