ServiceTitan is committed to protecting services from security threats. This whitepaper details the many different measures and technologies we have in place to protect our customers' data and provide uninterrupted services.

Each facility is designed to run 24 hours a day, seven days a week, 365 days a year, and employs numerous measures to protect operations from power failure, physical intrusion, and network outages. The data centers have a minimum of two sources of electrical power. In case of a power outage, the data centers immediately switch to a built-in uninterruptible power supply (UPS) and then to in-house diesel generators that can run for at least 72 hours. All equipment is fully redundant (2N + 1).

Physical servers are specifically produced for our high-performance data center and follow the Open Compute Project (OCP) specifications. These specifications are designed by companies like Facebook, Intel, Google, Apple, Dell, Rackspace, Cisco, Juniper Networks, Goldman Sachs, Fidelity, and Bank of America. Server security is enhanced through a hardening process before moving to production to reduce the attack surface. During this process, selected unnecessary services, applications, and network protocols are disabled or removed.

Physical Security

Tall fences encompass every inch of the perimeter. There are cameras around the data centers, with a physical security team monitoring their videos at all times. The data center entrance is staffed with professional security officers who have undergone rigorous training and background checks. These security officers also routinely patrol the data center facility.

Visitors must be pre-authorized before entering the data centers and are escorted by security during the entire visit. Inside the building, everyone must pass two-factor authentication with biometrics. Everyone must pass a full body metal detection screening prior to exiting the facility.

Backups and Disaster Recovery

Our database infrastructure is redundant locally and replicated off-site. Full backups are performed daily, and incremental backups are performed every 15 minutes. Archive logs are also shipped off-site to allow point-in-time customer database restores. Images and attachments are stored on a distributed SDS object store with multiple copies in one location and geo-redundancy (hundreds of miles from the original binaries). These object stores have 16 9s of uptime. ServiceTitan backs up all data to different cloud regions to ensure our site can be restored in the event of an outage.

Data Integrity, Isolation, and Availability

With failover at the application tier, the application data model is designed to guarantee data integrity by modeling data transactions into transaction units that are committed to the database in one batch. If a database instance goes offline, the pending transactions resume once the database is reestablished. Databases are mirrored on-site and at another independent data center.

Network Isolation

Only permitted traffic on specific TCP ports can traverse ServiceTitan edge connectivity. Platform servers are allocated to their respective security groups, characterized by specific security settings (TCP/IP level), and supplemented by individual instance-level stateful firewalls. Separate VNETs are used to split production, payments, testing, and development environments.

Data Encryption in Transit

ServiceTitan provides secure communications on the Internet by supporting only current versions of Transport Layer Security (TLS) and cipher suites. TLS ensures that all data transmitted between the ServiceTitan servers and browsers remain encrypted. Additionally, our PKI uses certificates issued by trusted Certificate Authorities (CA) to authenticate servers and ensure data integrity while in transit.

Certificate Creation Auditing and Monitoring

ServiceTitan monitors and audits certificate creation for its subdomains using certificate transparency (CT) and another proprietary tool, which efficiently identifies mistakenly or maliciously issued certificates.

Operating System, Middleware, and Applications

Operating systems deployed to production are designed to have a small footprint optimized for security. To enhance security, and prevent program misbehavior caused by stack and heap overflow attacks, binaries that run in user space are compiled with stack smashing protection. This hardened version of the operating systems is also optimized to run in distributed, ephemeral, and immutable environments, thus mitigating the risk of advanced persistent threats. Default or manufacturer-issued passwords are changed or deleted. All computing resources in our data centers are continuously scanned for vulnerabilities and misconfigurations.

Vendor Management

Only software that vendors actively support is used. Active support means that vendors release security updates and fixes to known application issues. Once our engineers determine that the software is no longer necessary to meet our business goals, the product is decommissioned from our data centers.

Change Control

Our formal change control process minimizes the risk associated with system changes. Our methodology includes steps to verify that threats have been considered, inter-dependencies have been explored, and necessary policies and procedures have been weighed and applied before any change is authorized. All changes related to removing products, adding new products, or changing configurations go through a formal review process before being promoted to production.

User Provisioning

User provisioning is performed during onboarding based on an employee's role within the team and authorized by a user's supervisor for any non-role-based access required for an employee to perform their job duties. Upon termination, employee and contractor access is deprovisioned. People Operations also notifies system owners of user terminations to ensure access is appropriately deprovisioned. Any data owned by a terminated employee is transferred to their supervisor for continued process support.

Authentication

ServiceTitan maintains a strong centralized authentication platform to ensure that only authorized workforce members are able to authenticate. This platform provides assurance that workforce members are who they say they are at the time they connect to an information system. Two-factor authentication is mandated for all employees at ServiceTitan regardless of their access to the data center. User authentication also considers aspects such as user location and equipment fingerprint. User IDs are unique and never reused. Access to ServiceTitan resources from embargoed countries is prohibited and strictly enforced according to national mandates.

Authorization

ServiceTitan has implemented a strong internal authentication and authorization system based on industry standards. Access management procedures stem from an Access Management policy consisting of authentication, authorization, logging, and review requirements. Authorization to system resources is limited based on the principle of least privilege.

DDoS Protection

ServiceTitan is equipped to handle modern DDoS attacks, including common attacks against layers 3, 4, and 7, such as UDP amplification, HTTP flood, and attacks against third-party partners, such as DNS flood.

Real-Time System Monitoring

Our servers are continuously monitored against anomalies such as high CPU/disk utilization and abnormal data transfer, providing ServiceTitan with immediate insights and alerts that are used to troubleshoot and prevent potential disruptions to our systems.

Production servers and code are constantly scanned using both internal and external tools for potential security vulnerabilities in the web application, architectural weaknesses, misconfigurations, and known weaknesses. ServiceTitan's security tools provide constant intelligence to discover, locate, alert, prioritize, confirm, and mitigate exposures.

ServiceTitan acts as a data processor. This means we process data on behalf of our customers and follow the strict policies and procedures we have contractually agreed to. Our customers control the data. We do not mine customer data for purposes such as marketing research or advertising, and we don't sell it to third parties. These same principles are also enforced on the companies we subcontract to perform services.

Cyber Insurance

ServiceTitan maintains insurance coverage to lower the financial impact of cyber incidents. The policy includes coverage for events like data breaches, system failures, cyber extortion, bricking, telephone fraud, funds transfer fraud, and crypto-jacking.

Hiring Practices

ServiceTitan has hiring practices that are designed to help ensure that new employees are qualified for their job responsibilities. Prior to the start of the hiring process, each role is assigned a documented job description with input from the manager and team leaders within the department and People Operations. Applicants pass through an interview process that assesses their qualifications related to the expected responsibility level of the individual. ServiceTitan conducts pre-employment reference checks from information provided on the employment application. For domestic employees, HR conducts background investigations relating to past employment history and criminal activity for certain positions as deemed necessary by management. HR policies and practices are documented in our Employee Handbook.

Once hired, management conducts employee performance evaluations systematically and relates them to the Company's goals. Employees are provided with measurable objectives and are subject to periodic performance reviews to help ensure competence. Managers give each employee at least one formal written performance review per year.

General Employee Training

ServiceTitan invests significant resources in employee development by providing on-the-job training and other learning opportunities. New employees participate in an orientation program, which acquaints them with the organization, its affiliated companies, functions, values, products, and selected policies.

Security awareness training is mandatory for all ServiceTitan employees and covers topics such as security threats, privacy principles, safe computing, physical security, and data protection and handling. Internal phishing campaigns and social engineering penetration tests inspired by incidents seen in the industry are used to test employee awareness and security savviness. Security training program includes virtual newsletters, cybersecurity-themed escape rooms, and a plethora of activities such as capture-the-flag competitions, tabletop exercises, internal phishing campaigns, social engineering assessments, and "Phish a Phriend" competition, to mention a few.

Information Security Staff Qualifications

Avid contributors to the security industry, staff members are involved with numerous global initiatives. Our staff has been awarded and nominated for multiple awards and possesses numerous industry certifications:

Engineering Training

Due to the dynamic nature of information security, industry taxonomies are periodically updated. To that extent, ServiceTitan engineers are required to take secure coding training every year. In addition, the information security team sponsors Capture the Flag (CtF) events to provide engineers with an opportunity to use their offensive and defensive skills in scenarios very close to real-life ones. Technical training is provided in addition to the mandatory employee security awareness training.

Engineering Practices

All software written for or deployed on systems incorporates defensive programming practices to avoid common coding vulnerabilities and be resilient to high-risk threats. Code analysis tools are used to review and verify that secure coding practices such as the Open Web Application Security Project (OWASP) Top 10 Most Critical Application Security Risks ('OWASP Top 10') and the Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors ('CWE/SANS Top 25') are followed during software development. Manual code reviews are performed by individuals other than the originating developer to ensure proper segregation of duty is in place.

Auditing and Testing

ServiceTitan uses a combination of internal security professionals and external security firms to conduct security assessments. These tests are designed to ensure that applied security controls are adequate to protect user information and workflow. In addition, ServiceTitan performs simulated emergencies (tabletop exercises) involving a cross-functional team with key company leaders to discuss the actions they would take during a crisis and test the incident response plan. The activity serves to clarify roles and responsibilities and identify additional mitigation and preparedness needs.

Software Bill of Materials (SBoM) and Remediation

An inventory of all software components (proprietary and open-source) is dynamically generated based on the actual components that integrate the product. The software bill of materials (SBOM) provides visibility into the software supply chain, license compliance, security, and quality risks that may exist.

We scan projects for vulnerabilities in open-source and third-party components published in the National Vulnerability Database (NVD), security advisories, or issue trackers. The scans include dependencies of dependencies, vulnerability CVEs, and open-source licensing model information. Commercial suppliers of software components and services are scrutinized and required to provide evidence that a good security program is in place and followed.

ServiceTitan strives to make our response and mitigation processes effective and expedited. We continuously monitor the threat landscape and collaborate with security researchers and multiple organizations in the security community such as OWASP, ISSA, CISO forums, CISA, and Cloud Alliance to aim to resolve incidents rapidly. We pre-selected and negotiated legal agreements with an internationally recognized forensics and cyber extortion firm to provide a fast and tailored response.

A dedicated team continually monitors alerts from various systems in our datacenters and corporate environment. Cases are tracked and investigated. The team also performs threat hunting on the dark web for potential indicators of compromise. On several occasions, ServiceTitan responsibly disclosed indicators of compromise in customer environments (unrelated to ServiceTitan) before the customer knew.

Role-Based Access Control (RBAC)

ServiceTitan provides the means to restrict system access to authorized users using Role-Based Access Control (RBAC), enabling customers to delegate administrative tasks while maintaining high standards for security. This highly scalable and policy-neutral access control mechanism is defined around roles and privileges to facilitate security administration in large organizations with hundreds of users and thousands of permissions.

Password Policies and Brute Force Attacks Mitigations

Our SaaS offering supports the use of complex, strong passwords with a minimum length of 10 characters. When a user chooses a new password, the password is checked against a database of 4.7M passwords that were compromised during a breach. If a match is found, ServiceTitan requires the user to enter a new, secure password.

Passwords are stored securely using an irreversible key derivation algorithm aimed at reducing the odds of successful brute force attacks. Brute force attacks against our login page are also mitigated using a challenge-response authentication protocol. Each password reset request includes a One-Time Passcode (OTP), an additional level of protection, often seen in Online Banking, to authorize sensitive transactions. Multi-factor Authentication (MFA) and fine-grained password policy control are available for tenants who opt to use our Azure Active Directory Services product integration.

Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) technology is used to defend against bots that try to brute force their way into ServiceTitan (e.g. credential stuffing attacks). CAPTCHA will appear on the login screen after three incorrect password attempts.

Onion Routing Blocking

The Onion Ring (TOR) is an open-source privacy network that permits users to browse the web anonymously. ServiceTitan blocks access to visitors using TOR as the tool is often used for illicit purposes.

Encrypted Card Readers

ServiceTitan offers customers the option to adopt credit card readers with encryption support. Using this technology is the most secure way to prevent theft on tablets infected with a RAM scraper. The data is encrypted before entering the device and remains fully encrypted upon reaching its final destination.