Learn how Terality secures your data
Terality has started, in Dec 2021, the process to become a SOC 2 Type 2 audited platform.
Terality is a software-as-a-service solution. It enable us to provide our users with a fully managed solution.
When using Terality, data is securely copied to the Terality infrastructure (cf. below). No human at Terality will ever read your data, nor will Terality use your data in any way outside our proprietary data processing engine.
Terality is not meant to be a storage solution, but a compute engine. Therefore, data is deleted from the Terality infrastructure in a maximum of three (3) days after the Terality's client session is closed. We also delete any backup of your data we may have.
While stored on the Terality's infrastructure, your data is protected using all the industry security best practices such as encryption in transit and at rest and tight access controls.
Terality is currently hosted on Amazon Web Services, in the Frankfurt region.
When importing data from a cloud provider (e.g AWS S3 or Azure Data Lake), Terality directly copies the data from and to the cloud provider object storage service. This is done securely without ever communicating your cloud credentials to the Terality servers, and requires no special configuration from your part (so in most cases there is no need to request additional permissions from the team managing cloud access privileges).
We use different techniques depending on the cloud provider and integration:
- for AWS S3, the client generates presigned URLs (https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html) that are sent to the Terality server. Through these URLs, the Terality server gains temporary access to the objects to be copied. These URLs have a 1-hour lifetime, at which point they become invalid and can't be reused.
- for Azure Data Lake, the client retrieves a user delegation key. This key is used to generate shared access signatures (https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview) for the objects to be copied. These signatures expire 1 hour after generation, and work similarly to the AWS presigned URLs.
We run all functions in a secure sandbox, bound to the user making the request. As this sandbox is not shared between users, no user can not impact other users.