Talkwalker Security Practices

Last updated: August 1, 2024

Talkwalker maintains organizational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information Talkwalker collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Talkwalker engages in.

Where used in this Security Practices document, “Talkwalker Services” means the Services defined in the Talkwalker Terms of Service. Capitalized terms not defined in this document have the meanings given to them in the relevant terms of service applicable to your access to and use of the Talkwalker Services.

The Security Practices include:

1. Assigned Security Responsibility. Talkwalker has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.

2. Personnel Practices.

a. All of Talkwalker’s employees:

  1. are bound by Talkwalker policies regarding the confidential treatment of Customer Information;
  2. receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position;
  3. are required to read and sign information security and privacy policies covering the confidentiality, integrity, availability and resilience of the systems and services Talkwalker uses in the delivery of the Talkwalker Services.

b. Talkwalker maintains appropriate controls to restrict its employees’ access to the Customer Information that you and your Authorized Users make available via the Services, and to prevent access to Customer Information by anyone who should not have access to it.

c. Talkwalker conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.

3. Compliance and Testing. Talkwalker undergoes a rigorous audit process for security-related certifications or attestations for its Services. Respective certifications or reports for each of the Services is set out in our Trust Centre (https://trustcenter.hootsuite.com/).

a. Service Organization Control (SOC) Reports: Talkwalker undergoes a SOC 2 Type II audit annually which is performed by an independent third party auditor. A copy of Talkwalker’s most recent report is available upon request for existing customers or for prospective customers who agree to hold the report in confidence under a Talkwalker form of non-disclosure agreement.

b. External Pentest: The Services are subjected to annual penetration testing performed by an independent third party, for its web application.

4. Access Controls. Talkwalker has and will maintain appropriate access controls, including:

a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;

b. Segregation of conflicting duties and areas of responsibility;

c. Maintaining current and accurate inventories of computer and user accounts;

d. Enforcing the principles of “least privilege” and “need to know”;

e. Reviewing user access rights on a regular basis to identify excessive privileges;

f. Triggering a CAPTCHA after certain invalid login attempts; and

g. Password requirements that include a defined minimum complexity, and password changes after the first login.

5. Multi-Factor Authentication.

a. Access to the systems used by Talkwalker employees and contract personnel is controlled by multi-factor authentication. This means that all Talkwalker employees and contractors are required to provide an additional authentication credential in addition to the password credentials, in order to gain access to any system used in the provision of the Services.

b. Talkwalker also supports multi-factor authentication capability for its Customers and their Authorized Users in respect of their use of the Services (as a tool for their use in maintaining the security of their accounts).

6. Single Sign-On.

a. Talkwalker has implemented single sign-on (SSO) company-wide to ensure greater and more centralized access control to the systems used by Talkwalker employees and contract personnel.

b. Talkwalker also supports SSO capability for Enterprise customers that wish to ensure greater and more centralized access control to their accounts.

7. Data Encryption.

a. All Customer Information is encrypted at rest and in transit. The Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Talkwalker currently supports only TLS 1.2 or above on its website.

b. Talkwalker monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

8. Logging and Intrusion Detection.

a. All systems used in the provision of the Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.

b. Talkwalker maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Services. Logs are analyzed for security events via automated monitoring software, overseen by Talkwalker’s security team.

c. Talkwalker monitors the Services for unauthorized intrusions using network-based and host-based intrusion detection mechanisms.

9. Network Protection. In addition to system monitoring and logging, Talkwalker has implemented firewalls. Ports not utilized for delivery of the Services are blocked by configuration with our data center provider.

10. Host Management. Talkwalker performs automated malware and vulnerability scans on its production workloads and uses commercially reasonable efforts to remediate any findings that present a material risk to the Services environment. Talkwalker enforces malware scans, screen lockouts and the usage of full disk encryption for company laptops.

11. Disaster Recovery.

a. When your use of the Services requires Talkwalker’s systems to store Customer Information, such Customer Information is stored redundantly at multiple locations in Talkwalker’s hosting provider’s data centers to ensure availability. Talkwalker has backup and restoration procedures to allow recovery from a major disaster, where applicable.

b. Customer Information and Talkwalker’s source code is automatically backed up on a nightly basis. Talkwalker’s operations team is alerted in the event of any failure with this system. Backups are fully tested to confirm that these processes and tools work as expected.

12. Physical Security. Depending on the Service selected, Talkwalker currently uses Hetzner Online GmbH (Hetzner) and Amazon Web Services (AWS) for its production data centers to provide the Services. Hetzner and AWS were selected for their high standards of both physical and technological security, and have internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, in the case of AWS, and ISO 27001 in the case of Hetzner.

13. Security Policies and Procedures. Talkwalker implements and maintains security policies and procedures that align with the ISO/IEC 27001 Standard. In particular, the Services are operated in accordance with the following policies and procedures:

a. Customer passwords are stored using a one-way salted hash.

b. Customer authentication logs are captured to safeguard customer data and to aid in the investigation of security incidents.

c. Customer passwords are not logged.

d. Talkwalker personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.

14. Product Design Security Practices. New features, functionality, and design changes go through a review process facilitated by Talkwalker’s security team. In addition, Talkwalker’s code is tested and manually peer-reviewed prior to being deployed to production. Talkwalker’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.

15. Incident Management & Response. Talkwalker maintains robust security incident management policies and procedures for incident response. Talkwalker notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Information by Talkwalker or its agents of which Talkwalker becomes aware, to the extent permitted by law.