We take our responsibility to protect and secure your information seriously and strive for transparency around our security practices. Updated 29th of November, 2024
HappySignals Security Program
HappySignals has Leadership Team approved information security program in place. The program is re-evaluated and approved on an annual basis. It is led by VP Information Security, reporting directly to the CEO.
HappySignals Platform infrastructure and applications are secured using industry best practices
HappySignals platform is hosted on Microsoft Azure, and we utilize numerous controls for ensuring confidentiality, integrity, and availability of the services. We utilize data centers and service providers on multiple continents to support customer and legislative requirements (e.g. for personal data transfers).
We follow the GDPR and protected the PII
We are minimizing collection of Personal data, and protecting the gathered data using defined Technical and Organizational Measures. We do not sell customer data, personal data or PII to the third parties. All data retention practices are agreed with the customers.
ISO/IEC 27001 certification
HappySignals Platform and all related development, management, and operations, processes, and procedures are ISO 27001 certified. We run the Information Security Management System continuously to ensure that all domains of the framework are covered.
CIS benchmarks
We use CIS benchmarks to create secure-by-default configurations, to mitigate any cyber-attacks, and their impact on our platforms, technologies, and systems.
Secure software development
We have robust measures to address any potential security issues and risks as early as possible. We conduct threat modeling and regulatory reviews early in the design phase. Access to the source code and infrastructure is strictly limited. All changes are following a change management process, and all commits to the source code are peer-reviewed.
Development, test, stage and production environments are logically segregated. HappySignals customers’ data stays in the production environments, and it’s not transferred to our internal development, testing or staging environments.
We conduct static application security testing on every commit.
We conduct dynamic application security testing on weekly basis.
Third-party penetration testing
We use third parties to conduct external penetration testing to ensure that our controls are effective and that our teams have not missed anything. These tests include typical security assessment elements, vulnerability scanning, evaluation of design and logic flaws, programming issues, and misconfigurations. All findings are assessed according to our ISMS policies.
Encryption at-rest
Customer data is stored in services that are FIPS 140-2 compliant. Data, including backups, is encrypted on disk. The service uses AES 256-bit cipher for storage encryption, and the keys are system-managed. Storage encryption is always on and can't be disabled.
Encryption in-transit
All client connections are using TLS 1.2 or later, and we have disabled support for certain weak cipher suites.
Data access
We use role-based access controls for defining infrastructure, system and data access. Employees in HappySignals Product related roles must also prove their competence before they are granted access to the Product platform, systems or data.
Security training
Our staff is trained in security topics regularly according to their role and skill level. All new employees must patriciate in security training during their onboarding.
Screening and confidentiality
New employees are screened, and their background is checked according to the local laws. All employees are required to sign Non-Disclosure and Confidentiality agreements.
Security incident notification
We will notify customers within 24 hours in case we identify a security incident that might have an impact on the customer data, or in case the security incident is evaluated as high/critical. We utilize a third-party Forensics and Incident Response partner to ensure an appropriate investigation and response.
Disaster Recovery Process
Ensuring the availability of the platform is our core business requirement. The systems and services are designed focusing on high availability, and we evaluate and test our disaster recovery procedures regularly.
Privacy Policies
Our privacy policies can be found from here, and the data collection description for the HappySignals platform end-users (survey responders) is available on the Survey Data document.
We are happy to provide you additional information on request. Feel free to contact us on support@happysignals.com.