We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices. 29.10.2019
Our SaaS infrastructure is secured following industry standard best practices. Our SaaS Cloud platform hosted by Microsoft offers numerous ways to implement and tighten application security and monitor unauthorised access and other intrusions by default. We have built our security controls on top of this framework. We have data centers in our disposal in all continents and can therefore ensure compliance to local jurisdiction when it comes to e.g. personal data transfers and similar restrictions.
We follow the GDPR. We have minimised PII (Personally Identifiable Data) gathering and protect the gathered data as per dictated in the GDPR. PII data in our systems consists only of our Customer's authorized user, i.e. the Analysts using HappySignals Analytics. Data retention, when it comes to PII data, is documented and monitored.
Our PII data is controlled and protected with such controls as:
- Only the account owner can access his separated account data by using his private password.
- We enforce a strong password policy.
- Passwords are stored hashed and salted.
- Access to an account is logged, tracked, and audited.
- Brute-force attempts are automatically prevented.
In Software development we embrace Security First approach which addresses potential data breach and risks to data first hand in the application development. For change management there is a straightforward process that involves our DPO, CTO and Lead Tech. This allows us to ensure the integrity and security of the change. We do our development following Agile Methodologies.
We use third party companies to test our applications and our infrastructure continuously to prevent any unauthorised access to your data and also to internal data, that we use to run our business with. A PEN test (penetration test) is done by a third party after each major release - at least biannually. This PEN test includes Reconnaissance, Scanning, Exploitation, Design and logic flaws, Programming flaws and Misconfigurations of both our applications and infrastructure. We mitigate any findings immediately. An executive Summary of the latest PEN is available by request.
Your data is stored in services that use storage encryption for data at-rest and is FIPS 140-2 compliant. Data, including backups, is encrypted on disk. The service uses AES 256-bit cipher for storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
Data in-transit is protected by TLS1.2/SSL.
Our Staff is trained at least biannually on Security issues by our DPO (Data Protection Office). All of the staff members must go through this training and attendance and records of completing the trainings are held by the DPO. Only authorized personnel can administer systems or perform security management and operational functions. Authorisation for and implementation of changes are segregated responsibilities wherever appropriate to the organisation. Data access for our staff is granted in least privilege principle.
New employees (after Q3 2019) are screened by background checks by proper authorities.
HappySignals physical premises are protected by CCTV, electronic keys and access is restricted to authorized personnel only.
We are moving for a full Compliancy to ISO27001 standard, which helps us to design and maintain various processes to embrace changes and mitigate risks in our work. This work is underway and led by our CTO.
We have a SIRP (Security Incident Process), which defines roles and responses for any Incident starting from alerts to classification to communications and mitigation of the findings. We have a dedicated Security Incident team, consisting of our Senior Technicians and Management, CTO, Tech Lead etc.
We have a documented Disaster Recovery Process which is tested at least biannually.
Our staff will happily provide you with documentation of our practices if requested.
For more information, please contact firstname.lastname@example.org