Trust and Security at Thoughtful Automation
Trust and Security at
Thoughtful
Security is built directly into our development lifecycle, by performing both automated security scans and red team style penetration tests on every build and deployment.
Trusted By











Learn how we can help

Thoughtful customers use SOC 2 Type II to assess and address the risks associated with third party technology services. The information that you gain from a SOC 2 Type II report allows you, as a Thoughtful customer, or your auditors to perform critical risk assessment procedures and lets you know whether you can achieve the related control objectives on a specified date.
Thoughtful is proud to be HIPAA compliant. HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA Compliance is the process by which covered entities need to protect and secure a patient's healthcare data or Protected Health Information.
Thoughtful defines information security related roles and responsibilities across the organization: Executive management (CEO, COO, CTO); Employees and contingent staff.
The information security functions, roles and responsibilities are organized and defined by the Trust and Security Management Board (TSMB), which establishes and ensures the security governance within the organization.
Intrusion prevention and detection systems and firewalls are in place to protect our network.
Separation of test, development and operational facilities is ensured.
Appropriate anti-malware protection is maintained.
Regular backups of essential business information are maintained through Amazon Web Services for Thoughtful online services. An appropriate backup cycle is used and documented.
Event logs recording user activities, exceptions, faults and information security events are produced, kept and regularly reviewed.
Information about technical vulnerabilities of information systems being used is obtained in a timely fashion and the organization’s exposure to such vulnerabilities is evaluated and appropriate measures are taken to address the associated risk.
Thoughtful conducts periodic reviews of security policies and practices through independent third-party auditing services, as well as internal assessments as deemed appropriate. The policies are reviewed and updated regularly to ensure that they comply with changes to the law, adopted standards, organizational policies, contractual obligations and that they are appropriate to the risks faced by the company.
Thoughtful informs all employees and contractors regarding their obligations around information security. We provide annual training to our employees to help improve the company’s cyber hygiene and protect Thoughtful assets.
Thoughtful utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.
Thoughtful has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.
In order to respond to incidents effectively and timely, Thoughtful Incident Management teams are ready to take necessary actions to contain the threat, eradicate the source of the incident and restore the affected systems, information and data.
Incident responders track the incident root causes, the lessons learned in the incident management system and propose continuous improvements to system and data owners.
Based on the material nature of a major incident, the Thoughtful legal team will initiate contact with affected parties outside of Thoughtful in accordance with regulatory and contractual obligations.
Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to Thoughtful's employees, premises, system and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies and procedures implemented are commensurate with the risks and particular legal, regulatory or contractual requirements associated with each facility.
Access to premises is monitored through access controls, such as individual badges and through video surveillance. Asset movement controls are in place and the buildings are protected for seismic, flood and other similar risks. Data availability and continuity of service is ensured by using top cloud service providers.
Thoughtful maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process or host Thoughtful data or have access to Thoughtful network and systems.
Thoughtful concludes data protection agreements and imposes security requirements on its vendors in order to ensure that at least the same level of confidentiality and data security is implemented by its sub-contractors as the ones applicable to Thoughtful.
Thoughtful maintains the right to perform audits in order to monitor the compliance of its sub-contractors with the agreed technical and organizational measures regarding data confidentiality and security.
Only industry-standard algorithms for encryption and key strength approved by Thoughtful Engineering and IT departments are used to encrypt Thoughtful data and assets used in production or business use cases. At minimum, Thoughtful encryption is used to protect Thoughtful and customer or third-party non-public data in transit across public environments.
Additionally, encryption is used to protect Thoughtful and customer or other third-party data over which Thoughtful has custodianship at rest. Thoughtful uses known Certificate Authorities for the issuance of public key certificates. Keys have defined activation and deactivation dates so they can only be used for a limited period of time and they are protected from modification, loss, destruction and unauthorized disclosure during their use, storage, and handling (lifecycle). Keys are replicated/ duplicated as necessary to execute necessary backup and disaster recovery activities.
The use of cryptography is monitored to ensure compliance with applicable regulations.
Thoughtful ensures that employees agree to terms and conditions concerning confidentiality and information security appropriate to the nature and extent of access they will have to the organization’s assets and that go beyond the duration of the employment contract.
Upon termination of a work relationship, all access to information environments is removed and company assets are retrieved.
Responsibilities regarding information security are communicated to Thoughtful employees and they are informed that disciplinary actions can be taken against them based on violations of policies and procedures. We make sure all Thoughtful employees receive awareness trainings regarding Thoughtful policies as well as security risks and the protection of sensitive data.
Thoughtful takes preventive measures prior to employment in the form of Background Checks, as prescribed by our Background Checks Policy.
Devices which access to Confidential Information are adequately protected, according to Thoughtful's Information Security Policy. Thoughtful will, in limited circumstances, allow users to utilize their personal devices to access Thoughtful business resources. Users’ responsibilities and access to mobile devices containing non-public corporate information are restricted and controlled according to the BYOD Policy.
Thoughtful devices have security measures enforced on them and they are monitored for compliance deviations. Software installations on all Thoughtful systems is controlled by our operational security policy, which restricts and tightly controls installation of unwanted software.
Teleworking is part of our culture and we do our best to make sure it is done securely. Teleworkers who access any Thoughtful business information from remote locations are required to comply with the Acceptable Use Policy and the BYOD Policy.
Thoughtful has controls in place to mitigate the risk of improper and unsecure disposal and destruction of data, technology equipment and components owned by Thoughtful, including shredding hardcopy records which contain internal and confidential information, overwriting or physically destroying removable media, erasing or destroying mobile devices and securely erasing storage space allocated by cloud services, according to the cloud provider’s methodology.
Our Acceptable Use Policy restricts the storage of Customer Data locally, on the user’s device or on removable media.
For more information on the deletion of customer data, request to see our Data Retention Policy.
Thoughtful had defined and communicated to its employees the requirements for acceptable use of Thoughtful's resources in order mitigate the risk of unauthorized access to Thoughtful equipment, as well as use and modification of information assets. These include clear desk and clear screen rules, data handling requirements, password maintenance, equipment security and breach reporting / incident notification.
Within Thoughtful, information assets are protected throughout the information life cycle, including entry into Thoughtful's systems, secure data transmission, and appropriate data access, storage, retention and disposal.
Thoughtful requires all its employees, contractors and third parties to respect a set of security measures when handling Thoughtful devices and information, as defined in the Acceptable Use Policy.
All Thoughtful assets holding Confidential Data have an identified Asset Owner and are kept in an inventory that covers the entire lifecycle from purchase to disposal. Return of all equipment and secure disposal of data upon contract termination with employees or contractors is ensured.
All Thoughtful information assets are appropriately classified in terms of value, legal and contractual requirements to enable employees to handle them appropriately.
Thoughtful employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Users have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.
Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes. The access rights of all users to information are granted as appropriate for conducting their duties and removed upon resignation or termination of employment, contract or agreement, or adjusted upon a change in role.
Access to all systems is protected by two factor authentication and a strong password policy. Users' access to business applications is controlled and logged. Thoughtful has logging enabled for log-on activities on systems and generates alerts for unusual log-on behavior.
Owners of critical business systems and applications have the responsibility to grant, review and remove users’ access, as defined in Thoughtful's Identity and Access Control Policy and giving consideration to the concepts of least privilege and segregation of duties.
Thoughtful has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted at least annually and identified risks are mitigated according to risk severity and business priorities and captured in a Risk Treatment Plan.
Thoughtful recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration or destruction of such data. For this purpose, Thoughtful implements industry standard security controls and maintains a comprehensive security program.