Security Controls
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.
Security Control Category
Description
Information Security Program

In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits, assessments, and employee privacy and security training.

Risk Assessment

We undergo annual independent third-party SOC 2 Type II audits that include a risk assessment of the threats to the privacy, confidentiality, security, integrity and availability of personal data, the likelihood that these threats occur, and measures to mitigate these risks.We conduct penetration testing of the network and our application to evaluate the security of our production environment

Data Collection, Retention and Disposal

We only collect the personal data we need to accomplish our business purposes, including names, business email addresses, links to Slack profile pictures, and Slack user metadata. We do not store users’ conversation data on our systems.

When a customer uninstalls our solution, we securely dispose of the personal data in our possession by deleting the customer’s data from our systems.

Personnel Background Checks

We conduct background checks on all of our employees using Checkr.

Personnel Training and Education

We regularly train all our employees on our information security program, the importance of the security, confidentiality, and privacy of personal data, and the risks to our company and its customers associated with security incidents.

Access Controls

We only permit access to personal data, sensitive information systems, and our premises to authorized employees based on their role and with prior approval.

Terminated employees are prevented from accessing personal data and lose access to all devices and applications upon termination.

Secure User Authentication

In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits,assessments, and employee privacy and security training.

Encryption

All communication between customer systems and our platform takes place using high levels of encryption (TLS 1.2/HPPS).

All stored data, session cookies, and backups are encrypted at rest. Our databases are also encrypted using custom keys for additional security.

We use industry-standard encryption and a monitoring agent to protect the data stored on company laptops.

Network Security

We store all personal data on private networks that require VPN to access, and we conduct biannual penetration testing to evaluate the security of the network.

Malicious Code Detection

We have implemented Snyk to detect and remedy malicious or unsecure code designed to perform an unauthorized function on, or permit unauthorized access to, any information system.

We remediate any malicious or unsecure code promptly upon identification.

Vulnerability and Patch
Management

We conduct biannual vulnerability assessments to detect vulnerabilities on the network, and we have implemented processes to remediate any detected vulnerabilities.

Application Security

We maintain application security and software development controls, including private networks, custom key encryption, and biannual penetration testing, to detect and prevent the introduction of security vulnerabilities.

Change Controls

Prior to implementing code changes, our employees follow a documented change management process to assess the potential security and product impact of such changes.

We document all changes to our information systems as part of merger requests.

Off-Premise Information Security

We monitor and document the movement of records or media using Vanta, an automated security and compliance platform.

We have implemented strict password protection on all personal devices that access our systems.

Physical Security

We maintain restrictions on physical access to our offices and information systems through the implementation of strict access controls that are recorded in a digital registry

Customers first, growth always.
Request a demo

SECURITY

Last Updated : 07/14/2022
Thena maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Thena’s business; (b) the type of information that Thena will store; and (c) the need for security and confidentiality of such information.

Thena’s security program includes:

1. Security Awareness and Training:

A mandatory security awareness and training program for all members of Thena’s workforce (including management), which includes:
(1.1)
Training on how to implement and comply with its Information Security Program; and
(1.2)
Training on how to implement and comply with its Information Security Program; and

2. Access Controls:

Policies, procedures, and logical controls:
(2.1)
To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
(2.2)
To prevent those workforce members and others who should not have access from obtaining access; and
(2.3)
To remove access in a timely basis in the event of a change in job responsibilities or job status.

3. Physical and Environmental Security:

Controls that provide reasonable assurance that access to physical servers at the production data center, if applicable, is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes.  These controls are implemented by Amazon Web Services (AWS) and they are listed here: https://aws.amazon.com /compliance/data-center /controls/. Specific to Thena:
(3.1)
Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;
(3.2)
Camera surveillance systems at critical internal and external entry points to the data center, with retention of data per legal or compliance requirements;
(3.3)
Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and
(3.4)
Redundant power supply modules and backup generators that provide backup power in the event of an electrical failure, 24 hours a day.

4. Security Incident Procedures:

A security incident response plan that includes procedures to be followed in the event of any security breach. Such procedures include:
(4.1)
Roles and responsibilities: formation of an internal incident response team with a response leader;
(4.2)
Investigation: assessing the risk the incident poses and determining who may be affected;
(4.3)
Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data;
(4.4)
Recordkeeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and

5. Contingency Planning:

Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data.  Such procedures include:
(5.1)
Data Backups: A policy for performing periodic backups of production data sources, as applicable, according to a defined schedule;
(5.2)
Disaster Recovery: A formal disaster recovery plan for the production data center, including:
(i)
Requirements for the disaster plan to be tested on a regular basis, currently twice a year; and
(ii)
A documented executive summary of the Disaster Recovery testing, at least annually, which is available upon request to customers.
(5.3)
Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.

6. Audit Controls:

Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.

7. Data Integrity:

Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.

8.  Storage and Transmission Security:

Security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically.  Such measures include requiring encryption of any Customer Data stored on desktops, laptops or other removable storage devices.

9.  Secure Disposal:

Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

10. Assigned Security Responsibility:

Assigning responsibility for the development, implementation, and maintenance of Thena’s security program, including:
(10.1)
Designating a security official with overall responsibility;
(10.2)
Defining security roles and responsibilities for individuals with security responsibilities; and
(10.3)
Designating a Security Council consisting of cross-functional management representatives to meet on a regular basis.

11. Testing:

Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.  Where applicable, such testing includes :
(11.1)
Internal risk assessments;
(11.2)
ISO 27001 and ISO 27018 certifications; and
(11.3)
Service Organization Control 1 (SOC1) and Service Organization Control 2 (SOC2) audit reports (or industry-standard successor reports).

12. Monitoring:

Network and systems monitoring, including error logs on servers, disks and security events for any potential problems.  Such monitoring includes:
(12.1)
Reviewing changes affecting systems handling authentication, authorization, and auditing;
(12.2)
Reviewing privileged access to Thena production systems; and
(12.3)
Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.

13. Change and Configuration Management:

Maintaining policies and procedures for managing changes Thena makes to production systems, applications, and databases.  Such policies and procedures include:
(13.1)
process for documenting, testing and approving the patching and maintenance of the Thena Product;
(13.2)
A security patching process that requires patching systems in a timely manner based on a risk analysis; and
(13.3)
A process for Thena to utilize a third party to conduct application level security assessments.  These assessments generally include testing, where applicable, for:
(i)
Cross-site request forgery
(ii)
Services scanning
(iii)
Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
(iv)
XML and SOAP attacks
(v)
Weak session management
(vi)
Data validation flaws and data model constraint inconsistencies
(vii)
Insufficient authentication
(viii)
Insufficient authorization

14. Program Adjustments:

Monitoring, evaluating, and adjusting, as appropriate, the security program in light of:
(14.1)
Any relevant changes in technology and any  internal or external threats to Thena or the Customer Data;
(14.2)
Security and data privacy regulations applicable to Thena; and
(14.3)
Thena’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

15. Devices:

Ensuring that all laptop and desktop computing devices utilized by Thena and any subcontractors when accessing Customer Data:
(15.1)
will be equipped with a minimum of AES 128 bit full hard disk drive encryption;
(15.2)
will have up to date virus and malware detection and prevention software installed with virus definitions updated on a regular basis; and
(15.3)
will maintain virus and malware detection and prevention software so as to remain on a supported release.  This will include, but not be limited to, promptly implementing any applicable security-related enhancement or fix made available by the supplier of such software.