circle-info
New Release: Cypress is now live. Parallel paths for curated and un-curated data.
Twig Help Docsarrow-up-right
search
Twig.so

Security Best Practices

Comprehensive security guidelines for protecting your Twig AI deployment and data.

hashtag
Account Security

hashtag
Password Policy

Strong Passwords:

  • Minimum 12 characters (16+ recommended)

  • Mix of uppercase, lowercase, numbers, symbols

  • Unique per service (use password manager)

  • No dictionary words or personal info

Password Manager:

  • 1Password, Bitwarden, LastPass

  • Generate random passwords

  • Secure storage

  • Team vaults for shared access

hashtag
Multi-Factor Authentication (MFA)

Enable MFA:

  • Required for admin roles

  • Strongly recommended for all users

  • Use authenticator app (not SMS)

  • Backup codes stored securely

Supported Methods:

  • TOTP authenticator apps (Google, Authy)

  • Hardware keys (YubiKey, Security Key)

  • SMS (less secure, backup only)

hashtag
Account Monitoring

Monitor for:

  • Unusual login locations

  • Failed login attempts

  • New device logins

  • Permission changes

  • Suspicious activity

hashtag
API Security

hashtag
API Key Management

Best Practices:

Key Rotation:

  • Rotate every 90 days

  • Different keys per environment

  • Revoke immediately if compromised

  • Monitor key usage

Scoped Keys:

hashtag
Network Security

HTTPS Only:

  • All API calls over HTTPS

  • Certificate pinning (mobile apps)

  • TLS 1.3 preferred

IP Whitelisting:

Rate Limiting:

  • Implement client-side rate limiting

  • Respect 429 responses

  • Use exponential backoff

hashtag
Request Security

Input Validation:

Output Encoding:

  • Escape HTML in responses

  • Sanitize URLs

  • Validate JSON

hashtag
Data Security

hashtag
Data Classification

Level
Examples
Controls

Public

Marketing materials

Standard

Internal

Company docs

Auth required

Confidential

Customer data

Encryption + RBAC

Restricted

Financial, PII

Encryption + MFA + Audit

hashtag
Encryption

At Rest:

  • AES-256 for databases

  • Encrypted file storage

  • Encrypted backups

  • Key management (AWS KMS)

In Transit:

  • TLS 1.3

  • Perfect forward secrecy

  • Strong cipher suites

  • Certificate validation

hashtag
Data Access

Principle of Least Privilege:

  • Grant minimum necessary access

  • Time-limited access for contractors

  • Regular access reviews

  • Remove unused permissions

Data Segregation:

  • Organization data isolation

  • No cross-org data access

  • Separate environments (dev/staging/prod)

hashtag
Application Security

hashtag
Secure Configuration

Agent Settings:

Deployment:

  • Staging environment for testing

  • Gradual rollout

  • Rollback procedures

  • Health checks

hashtag
Secure Integrations

OAuth Security:

  • Use state parameter (CSRF protection)

  • Validate redirect URIs

  • Short-lived authorization codes

  • Secure token storage

Webhook Security:

  • Verify signatures

  • HTTPS endpoints only

  • Rate limit webhook handlers

  • Validate payloads

hashtag
Operational Security

hashtag
Access Control

User Management:

  • Regular access reviews

  • Remove inactive users (90 days)

  • Verify role assignments

  • Audit group memberships

Privileged Access:

  • Limit Super Admin role (2-3 users)

  • Require MFA for admin accounts

  • Monitor admin activity

  • Regular recertification

hashtag
Logging & Monitoring

Comprehensive Logs:

  • Authentication events

  • Authorization failures

  • Data access

  • Configuration changes

  • API calls

  • Errors and exceptions

Monitoring:

  • Failed login attempts

  • Unusual access patterns

  • Performance anomalies

  • Security events

Alerting:

hashtag
Incident Response

Preparation:

  • Incident response plan documented

  • Team roles defined

  • Escalation procedures

  • Contact list maintained

Response Process:

  1. Detection and analysis

  2. Containment

  3. Eradication

  4. Recovery

  5. Post-incident review

Communication:

  • Internal notification channels

  • Customer notification templates

  • Regulatory reporting procedures

hashtag
Vulnerability Management

hashtag
Patch Management

Regular Updates:

  • Security patches applied within 48 hours

  • Platform updates monthly

  • Dependency updates weekly

  • Zero-day vulnerabilities: Immediate

hashtag
Vulnerability Scanning

Continuous Scanning:

  • Automated daily scans

  • Dependency vulnerability checks

  • Container image scanning

  • Code analysis (SAST)

hashtag
Penetration Testing

Annual Testing:

  • External penetration test

  • Internal vulnerability assessment

  • Social engineering tests

  • Report and remediation

hashtag
Third-Party Security

hashtag
Vendor Assessment

Sub-Processor Review:

  • Security questionnaires

  • Compliance verification

  • Contract terms

  • Regular reassessment

Current Sub-Processors:

  • AWS (SOC 2, ISO 27001)

  • OpenAI (SOC 2, enterprise agreement)

  • Pinecone (SOC 2)

  • Stripe (PCI Level 1)

hashtag
Integration Security

OAuth Integrations:

  • Minimum required scopes

  • Token encryption

  • Regular token rotation

  • Revocation procedures

hashtag
Developer Security

hashtag
Secure Coding

Practices:

  • Input validation

  • Output encoding

  • Parameterized queries

  • Error handling (don't leak info)

  • Secure dependencies

Code Review:

  • Peer review required

  • Security review for sensitive changes

  • Automated security scanning

hashtag
API Security

Implementation:

hashtag
Security Checklist

hashtag
Initial Setup

hashtag
Ongoing (Monthly)

hashtag
Ongoing (Quarterly)

hashtag
Annual

hashtag
Reporting Security Issues

hashtag
Responsible Disclosure

Found a security vulnerability?

Email: [email protected]

Include:

  • Description of vulnerability

  • Steps to reproduce

  • Impact assessment

  • Suggested fix (if known)

We commit to:

  • Acknowledge within 24 hours

  • Provide updates every 3-5 days

  • Fix critical issues within 48 hours

  • Credit researchers (with permission)

hashtag
Bug Bounty Program

Status: Enterprise customers only

Contact [email protected] for details.

hashtag
Resources

hashtag
Next Steps

PreviousComplianceNextOrganization Settings

Last updated