We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices. Updated 28th of November, 2023
Our infrastructure and applications are secured following industry best practices:
Our platform is hosted on Microsoft Azure, and we utilize numerous controls for ensuring confidentiality, integrity, and availability of the services. We utilize data centers and service providers on various continents to support customer and legislative requirements (e.g. for personal data transfers).
We follow the GDPR. We are minimizing the collection of Personally Identifiable Information, and protecting the gathered data using defined Technical and Organizational Measures. PII data in our systems consist only of our Customer's authorized user(s), i.e. the Analysts using HappySignals Service. We do not collect PII of the users responding to the surveys. We do not sell customer data or PII to the third parties. Data retention is agreed with the customers.
ISO/IEC 27001 certification. HappySignals Service and all related development,
management, and operations, processes, and procedures are ISO 27001 certified. We run the Information Security Management System continuously to ensure that all domains of the framework are covered.
We use CIS benchmarks to create secure-by-default configurations, to mitigate any cyber-attacks and their impact on our platforms, technologies, and systems.
In software development we embrace the Security First approach. This is to address any potential security issues and risks as early as possible. Access to the code and infrastructure is strictly limited. All changes are following a change management procedure, and all commits to the code are peer-reviewed.
We use third parties to test HappySignals Service and infrastructure to ensure that our controls are effective and that our teams have not missed anything. These tests include the typical security assessment elements and vulnerability scanning, as well example the evaluation of design and logic flaws, programming issues, and misconfigurations. All findings are assessed according to our ISMS.
Encryption at-rest. Your data is stored in services that are FIPS 140-2 compliant. Data, including backups, is encrypted on disk. The service uses AES 256-bit cipher for storage encryption, and the keys are system-managed. Storage encryption is always on and can't be disabled.
Encryption in-transit. All client connections are using TLS 1.2 or later, and we have disabled support for any weak cipher suites.
Our staff is trained on security issues at least annually. All new employees must patriciate in security training during their onboarding. Employees must prove their competence before they are granted access to the Product platform and systems.
New employees are screened and their background is checked according to the local laws.
We commit to notify our customers within 24 hours in case we identify a security incident that might have an impact on the customer data, or in case the security incident is evaluated as high/critical. We utilize a third-party Forensics and Incident Response partner to ensure appropriate investigation of such incident.
Disaster Recovery Process. Ensuring the availability of the platform is our core business requirement. The systems and services are designed focusing on high availability, and we evaluate our disaster recovery procedures regularly.
Our Privacy Policies can be found from here here, and the description for the end-users (survey responders) about our data collection is available on the Survey Data document.
Our staff will happily provide you with documentation of our practices
if requested. For more information, please contact support@happysignals.com