Team Policies

All Transloadit employees and freelancers/consultants that handle code or data, should sign our Consultancy Services Agreement. The agreements refers to this Work Policy, which contains more hands-on guidelines, that may evolve over time in correspondence with our team. This allows us to very specifically name fast moving technologies that would risk deprecating our contracts if we kept them there.

Security & Privacy

Customers and Vulnerability Researchers may find our Security page more relevant.

In addition to the confidentially clauses of our agreement, please take these up to date practical guidelines to heart.

To apply security best practices on the devices where the Confidential Information is kept:

  • Install software updates for your OS & apps regularly. This includes computer, phone, tablet, but also the firmware of routers, modems, and IOT equipment. Make sure they are up to date, and discard of devices that are EOL.
  • Do not connect to the internet without a firewall (e.g. by setting your modem in bridge mode).
  • On public/untrusted Wi-Fi (Wi-Fi that strangers can join: hotel, lan party, cafe), encrypt and tunnel work traffic via a VPN or SSH tunneling (if you can work exclusively from your browser). SSH traffic is excluded from this.
  • Use an encrypted harddrive.
  • Use 2FA where possible, and at least for GitHub, Google, Dropbox, NPM and other vital services.
  • Make a best effort to keep a papertrail of OS level / security logs for for 30 days or more.
  • Use an unpriviliged account (no root/Administrator) by default.
  • Use an audited and well established password manager to keep your passwords, do not save your passwords elsewhere. use the passwords manager's ability to install strong passwords for all your important accounts, private and work-related.
  • Only transmit secrets to collegues via Signal, after enabling auto-expiring messages.
  • Do not check out Transloadit's private repositories on servers or other devices, other than your primary workstation(s).
  • When creating accounts for Transloadit, never use a personal email address (but support@transloadit.com or billing@transloadit.com instead).

Miscellaneous

  • Section 3.1 of our Consultancy Services Agreement states that you need written agreement before adding Third-party code. When writing Pull Requests that include open source licensed code, an approval or merge by a repository admin counts as such.

Pagerduty Rotation

This section can be ignored if you are not in Pagerduty Rotation. If you are, please familiarize with these guidelines.

  • Transloadit’s goal is to be pager free. Systems should be made to autoheal where we can. All high severity pagers should be actionable. If they are not, and the respective system cannot be changed to stay within thresholds reliably, we should consider downgrading to low severity, or relaxing thresholds. The person on call that week has the biggest stake, and can take the lead in these discussions and efforts.
  • A pager shift’s duration is one week, starting Friday 16:00 CE(S)T until the next Friday 16:00 CE(S)T, after which, another teammate is on call.
  • A shift occurs once every three weeks. Less may become possible if Transloadit recruits more qualified personnel. More is not possible as per this agreement.
  • During a shift, the primary person on call:
    • is, outside office hours, no further than 30 minutes away from being effective on a workstation (a machine and location where they can expect with a very high degree of certainty to have the necessary applications, connectivity, electricity, and credentials to troubleshoot issues with Transloadit’s production platform. Try to optimize for less than 30 minutes, 30 should the the exception, not be the norm. It is better to swap duties than to take chances.
    • catches up on sleep by sleeping in, or taking naps. The Employee is only expected to work 80% of their regular engagement. Employee is not on call on Mon-Thu from 09:00-17:00 CE(S)T and on Friday from 09:00-16:00 CE(S)T, and is allowed to ”go out and swim”, as there are enough people present to troubleshoot issues.
    • does not do drugs. Depending on the person, e.g. moderate alcohol consumption may be acceptable. This is up to the discretion of the Employee, as long as they acknowledge that failing to troubleshoot a problem effectively due to intoxication will be seen as severe negligence. Clarification: what Employees do in their own time (that doesn't affect work performance), is absolutely none of Transloadit’s business.
    • is the first responder to acknowledge or resolve a pager. They must respond within 10 minutes of the first notification. This means carrying a phone that is not silent, has a loud/distinct enough ringtone or otherwise will be noticed even while asleep, that is closeby, has enough battery and connectivity, isn’t scheduled to receive an upgrade and reboot into zero connectivity unnoticed, etc. Depending on the severity of the pager, they should start solving the problem immediately or the next day.
    • makes sure to message or call a peer or senior if they are unable to adequately solve the problem, or if they are unsure about the severity or resolution. When in doubt, the founders should be messaged, then called if they do not respond. Hence, the primary person on call makes sure to have their current contact info.
    • makes sure to timely ask to trade shifts with another Employee if there are plans that conflict with the on-call duty. We explicitly recommend to trade when considering taking a chance on clubbing, as experience tells us it jeopardizes hearing the notification, getting away from the club in time, and a clear troubleshooting head.
    • is compensated with 150% their hourly rate for time they had to work outside office hours, rounded up to the nearest half-hour per incident. Potential travel time to the workstation counts as working hours. Up to $200 in lost expenses are reimbursable (you had to abort a dinner)
    • is compensated with 20% free time during office hours in the week that they had to be available, even if they did not receive a single pager

Do not stray from these guidelines without written permission by Transloadit's founders.