Every aspect of TalkJS has been designed with security and privacy in mind. We foster a security-conscious engineering culture to ensure that we’re always ahead of the curve with this. For example, all communication with TalkJS is forced to go over encrypted channels (HTTPS) — TalkJS simply refuses to work without encryption.
We strongly recommend customers use Identity Verification to ensure that malicious users cannot peek into other users’ accounts. We protect our application servers and our database using industry-standard techniques including firewalls, stringent access controls and sane employee policies.
TalkJS only collects the minimum amount of user data that is necessary to function, and we consider the data to be yours, not ours. Also read more about all this on our page about the EU General Data Protection Regulation (GDPR) and our list of user data subprocessors.
Our security-first culture
We cultivate a team culture that is highly focused on security. All employees treat customer data as a liability, not an asset. The data is your data, that we store for you as a service.
For example, we carefully designed all APIs such that TalkJS never collects more than the absolute minimum of user data necessary to function. For example, you only need to send us email addresses if you need TalkJS to send email notifications.
Here’s a selection of steps that we take to ensure that TalkJS is built and operated at the highest levels of security and user privacy:
- All data is encrypted at-rest and in-transit
(note: we contractually guarantee perpetual at-rest encryption in our Enterprise Plan)
- No tracking or analytics software is in place
- We regularly audit our security installation and our security-related policies
- Only key employees get production server access, and go through an extensive vetting process first. Employee contracts enforce confidentiality with respect to this access.
- We reduce the vulnerability surface area by outsourcing
Installing TalkJS on-premise
The TalkJS Enterprise Plan permits installing TalkJS on your own servers. If you do this, the security effort is shared between TalkJS and our customer. TalkJS, of course, needs to ensure that the software itself is not vulnerable. At the same time, our customer is responsible for keeping the application server that TalkJS will run on configured well with no backdoors.
Similarly, TalkJS stores its data in a customer-managed PostgreSQL database which will need to be secured and properly configured by the customer. We’ll be glad to help with this, of course, but in general, in an on-premise situation, TalkJS will be as secure as your infrastructure is.