We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices. Updated 31st of May, 2022
Our infrastructure and applications are secured following industry best practices:
Our platform is hosted on Microsoft Azure, and we utilize numerous controls for ensuring confidentiality, integrity, and availability of the services. We utilize data centers and service providers on various continents to support customer and legislative requirements (e.g. for personal data transfers).
We follow the GDPR. We are minimizing the collection of Personally Identifiable Information, and protecting the gathered data using defined Technical and Organizational Controls. PII data in our systems consist only of our Customer's authorized user(s), i.e. the Analysts using HappySignals Analytics. We do not collect PII of the users responding to the surveys. We do not sell your data or PII to the third parties. Data retention is defined with the customers.
We use CIS benchmarks to create secure-by-default configurations, to mitigate any cyber-attacks and their impact on our platforms, technologies, and systems.
ISO/IEC 27001 certification. HappySignals Product platform and all related development,
management, and operations, processes, and procedures are ISO 27001 certified. We run the Information Security Management System continuously to ensure that all elements of the framework are covered.
In Software development we embrace the Security First approach. This is to address any potential security issues and risks as early as possible. Access to the code and infrastructure is strictly limited. All changes are following a change management procedure, and all commits to the code are peer-reviewed.
We use third parties to test our applications and infrastructure to ensure that our controls are effective and that our teams have not missed anything. These tests include the typical security assessment elements and vulnerability scanning, as well example the evaluation of design and logic flaws, programming issues, and misconfigurations. All findings are assessed according to our ISMS.
Encryption at-rest. Your data is stored in services that are FIPS 140-2 compliant. Data, including backups, is encrypted on a disk. The service uses AES 256-bit cipher for storage encryption, and the keys are system-managed. Storage encryption is always on and can't be disabled.
Encryption in-transit. All client connections are using TLS 1.2 or later, and we have disabled support for any weak cipher suites.
Our staff is trained on security issues at least annually. All new employees must patriciate in security training during their onboarding. Employees must prove their competence before they are granted access to the Product platform and systems.
New employees are screened and their background is checked according to the local laws.
We commit to notify our customers in case we identify a security incident that might have an impact on the customer data, or in case the security incident is evaluated as high/critical. We utilize a third-party Incident Response Partner to ensure appropriate investigation of these incidents.
Disaster Recovery Process. Ensuring the availability of the platform is our core business requirement. The systems and services are designed focusing on high availability, and we evaluate our disaster recovery procedures regularly.
Our staff will happily provide you with documentation of our practices if requested.
For more information, please contact firstname.lastname@example.org