Data Protection and Information Security

 

Protecting customer and partner data is a critical responsibility and top priority at Twist. Our customers and partners trust us with confidential information that could become the basis of their intellectual property. For Twist, protecting critical customer data involves implementing robust security measures to safeguard sensitive and confidential information from unauthorized access, breaches and cyber threats as well as using encryption, secure storage systems, and strict access controls. We have established clear data handling policies, regularly train employees on security best practices, and stay compliant and even ahead of relevant national and international data protection regulations. Regular security audits and updates to systems are essential to address emerging vulnerabilities

Twist’s Information Security program, like our Quality, Privacy, and Biosecurity programs, is built upon the foundation of international standards and is overseen by experts in the field and rigorously and continuously scrutinized.

Twist is ISO 27001-certified to the most up to date 2022 revision of the standard. An accredited, independent certification body audits Twist each year to make sure that all working parts of Information Security program – our People, our Processes, and our Technology – comply or exceed the standard. Our Board of Directors oversees all efforts at the highest level of the company.

People, Process, Technology

People

 

All company employees are trained in our Cybersecurity Awareness program which includes phishing and social engineering. The program includes yearly training, quarterly testing, and weekly informational campaigns to keep digital safety high in our team’s consciousness.

We perform employee background checks, clearly delineate roles and responsibilities, apply a strict philosophy of least privilege governing access control, and we build segregation of duties into our policies and operations.

We partner with compliance experts, penetration testers, security operation center teams, law firms specializing cybersecurity, and national and global agencies including the Center for Internet Security (CIS), MITRE, the United States Computer Emergency Readiness Team (US-CERT), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).

Our Executive Leadership Team (ELT), Audit Committee (AC), and Product Approval Committee (PAC) are all regularly briefed on the company’s cybersecurity posture and provide guidance on strategy and priorities.

The Board is briefed on our Cybersecurity landscape and Roadmap, maturity on a semi-annual basis.

Process

 

  • Annual audits and re-certification for ISO 27001 to ensure data protection practices comply with applicable laws and cybersecurity best practices.  
  • Annual risk assessment run by Information Security team and sponsored by the CIO.  
  • Annual penetration testing performed by an accredited, third-party agency.  
  • Continuous vulnerability scanning and mitigation both in our code and in our services.  
  • Quarterly access control reviews for all significant Applications.  
  • Incident Response, Business Continuity, and Disaster Recovery policies and procedures to deal with cybersecurity incidents or natural disasters.  
  • Supply chain management with vendor selection security assessments and vendor assessments.  
  • Company privacy policy and privacy practices that are in line with applicable personal data protection laws and regulations.

Technology

Production infrastructure housed in AWS SOC-audited data centers.

AI-driven endpoint protection and gateway security.

Identity lifecycle management.

Single Sign-On, Multi-factor Authentication, and VPN.

Secrets and privileged access management.
 

At-rest and in-transit encryption with KMS.

Next-gen firewall technology, segmented networks, and certificate-based authentication.