What security measures does Text, Inc. implement to protect the data?
As a company offering its services in SaaS model we are aware that the security of our clients and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust.
All technical and organizational safeguards we apply - such as encryption, access control, vulnerability management, and breach response - are comprehensively described in our Data Processing Addendum. This includes the Standard Contractual Clauses (SCCs), which form an integral part of our framework for lawful international data transfers.
We regularly review and update our safeguards to reflect evolving regulations and best practices. For a full overview of our implemented measures, please refer to Exhibit B of the DPA.
What internal security measures does Text follow?
We follow strict security and monitoring procedures, including:
Documented security standards and policies
Mandatory confidentiality agreements for personnel
Training and awareness programs
Role-based access control for staff
Segregation of Clients Data to prevent unauthorized access
What technical safeguards are in place?
Annual penetration testing of Text Services
Web Application Firewall (WAF) to mitigate DDoS attacks
Mobile Device Management (MDM) and Endpoint Detection & Response (EDR) for staff devices
Software Supply Chain scanning for vulnerabilities
GRC (Governance, Risk & Compliance) solution for risk management
Vendor management program ensuring we only cooperate with trusted partners
What security certifications do you rely on?
We use trusted cloud providers that comply with internationally recognized security standards.
Where is my data stored?
Your data is hosted on secure cloud infrastructure provided by Google Cloud, with data centers located in:
United States (Texas, Iowa)
European Union (Frankfurt, Germany)
These facilities are protected by multiple security clearances, physical safeguards (including on-site security), and comply with industry standards such as SSAE16 (SOC2 Type II).
Is Text App a single tenant or multi-tenant? If multi-tenant, what steps have been taken to secure the data from being accessed by other tenants?
The application is multi-tenant, so the data for each license is accessible only to accounts assigned to the license; the person that wants access to license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, and it’s not possible to access other users’ data, as the access request without needed credentials will be considered an unauthorized call and denied. Also, one set of credentials (login + password) can be used for one license only.
How is client Data compartmentalized?
Client Data is logically separated within our systems to prevent unauthorized cross-access between clients. Access requires unique administrator credentials and follows strict, based-on-permission controls.
Who has access to the servers?
Because Text uses a cloud infrastructure model, our staff does not have physical access to servers. Access to Client Data is strictly limited to authorized personnel who need it for their work and is governed by confidentiality agreements and strict internal security policies.
How is my data protected in transmission?
All connections to the Text ServicesApp are encrypted using 256-bit TLS (versions 1.2 and 1.3).
Communication with our systems is routed through Akamai (Content Delivery Network).
What password policy applies to Text users?
Each user has a unique ID
Passwords must be at least 12 characters long and include:
1 number
1 capital letter
1 special character
Two-factor authentication (2FA) is available and strongly recommended
All login status changes are logged
Do you have an incident management process in place?
Yes, we have breach detection, investigation, and internal reporting procedures in place. In case of any management incident, we are ready to react immediately to protect your data from unjustified disclosure or any other infringement.
What should I do if I suspect an incident has occurred?
Please contact us promptly via support@text.com or chat with us on our website.
Do you have a DR plan? How quickly could you restore from a data backup if you suffered a major loss, and what is the maximum amount of data that might be lost?
Yes, we have a DR plan; each part of the system can be restored within 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause the service to degrade. Provided time refers to the flood scale of the disaster.
What are your processes for identifying and remediating vulnerabilities in your application and the underlying software and infrastructure?
Running an external audit, fixing all found vulnerabilities, testing the implemented fix, and iterating this procedure until the issue is fixed and periodic systems scanning with tools for automatic issue recognition.
Do you have any DDoS protection in place?
Yes, we do have DDoS protection provided by Akamai.
How can I retrieve my chat history or personal data?
You can request your stored chat history or personal data at any time by emailing support@text.com. Please use the email address associated with your Text Services subscription to verify your identity. Data will be provided within 30 days.
What domains do I need to whitelist for Text Services?
To ensure the Text Services works properly, please add the following domains to your firewall exceptions:
*.static-text.com
*.text.com
*.files-text.com
*.livechat.com
*.livechatinc.com
*.livechat-static.com
*.recurly.com
For webhooks, please whitelist:
185.177.172.0/22
Please note: Our CDN and anti-DDoS infrastructure rely on tens of thousands of edge servers, so we cannot provide a full IP list. We recommend filtering traffic by domain name rather than IP.
How to identify Phishing Attempts in Text Services?
Phishing isn’t restricted to emails. Real-time communication channels, including Chats are not exempt from phishing threats. It’s essential to be vigilant and knowledgeable about potential signs to protect yourself and your data. Here are some key indicators to consider:
1. Check the Sender’s Claim: A mismatch between a claimed identity and the apparent username can be suspicious. Be cautious if the sender claims to be from a well-known organization but uses a generic or suspicious username.
2. Analyze Embedded Links: Avoid clicking on links immediately. Avoid clicking on any links sent to you in a chat unless you are certain they are genuine. Keep an eye out for unusual URLs or any slight discrepancies.
3. Refrain from Disclosing Personal Information: It’s a red flag if you are asked for personal, financial, or other sensitive data during a chat, especially if it’s not relevant to the conversation. For any such requests, it’s recommended to contact the organization directly through official channels.
4. Urgency and Threat Tactics: Be cautious with urgent or suspicious requests, especially those demanding quick actions or offering too-good-to-be-true deals, can be signs of phishing.
5. Evaluate Language and Structure: Look for Language Errors, like typos, grammar issues, or unusual phrasing can be indicative of phishing attempts, as reputable companies generally have quality control for their communications and ensure their communications are clear and free from errors.
6. Report Suspicious Chats and seek assistance: If a chat appears questionable, reach out to your organization’s IT or security sector for further examination.
Note: Our Support Heroes will only contact you through the chat for debugging purposes, and we always inform you beforehand. We will never ask for personal or sensitive data during a chat.