We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices. Updated 20th Aug, 2021
Our SaaS infrastructure is secured following industry standard best practices. Our SaaS Cloud platform hosted by Microsoft offers numerous ways to implement and tighten application security and monitor unauthorised access and other intrusions by default. We have built our security controls on top of this framework. We have data centers in our disposal in all
continents and can therefore ensure compliance to local jurisdiction when it comes to e.g. personal data transfers and similar restrictions.
We follow the GDPR. We have minimised PII (Personally Identifiable Data) gathering and protect the gathered data as per dictated in the GDPR. PII data in our systems consists only of our Customer's authorized user, i.e. the Analysts using HappySignals Analytics. Data retention, when it comes to PII data, is documented and monitored.
Our PII data is controlled and protected with such controls as:
- Only the account owner can access his separated account data by using his private password.
- We enforce a strong password policy.
- Passwords are stored hashed and salted.
- Access to an account is logged, tracked, and audited.
- Brute-force attempts are automatically prevented.
In Software development we embrace Security First approach which addresses potential data breach and risks to data first hand in the application development. For change management there is a straightforward process that involves our CTO and Tech Lead. This allows us to ensure the integrity and security of the change. We do our development following Agile Methodologies.
We use third party companies to test our applications and our infrastructure continuously to prevent any unauthorised access to your data, and also to internal data, that we use to run our business with. A security audit is done by a third party after each major release - at least annually. This test includes Reconnaissance, Scanning, Exploitation, Design and logic flaws, Programming flaws and Misconfigurations of both our applications and infrastructure. We mitigate and remediate any findings immediately. An Executive Summary of the latest audit
is available by request.
Your data is stored in services that use storage encryption for data at-rest and is FIPS 140-2 compliant. Data, including backups, is encrypted on disk. The service uses AES 256-bit cipher for storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
Data in-transit is protected by TLS 1.2 or later.
Our Staff is trained at least annually on Security issues by our person responsible of security. All of the staff members must go through this training and attendance and records of completing the trainings are held by the CTO. Only authorized personnel can administer systems or perform security management and operational functions. Authorisation for and implementation of changes are segregated responsibilities wherever appropriate to the organisation. Data access for our staff is granted in least privilege principle.
New employees are screened by background checks by authorities.
HappySignals physical premises are protected by CCTV, electronic keys and access is restricted to authorized personnel only.
We follow ISO/IEC 27001 framework, to identify, contain, eradicate, recover, and understand lessons learned of an attack. Our Security Incident Response Team consist from our Senior Technicians and Management, CTO, VP Information Security, Tech Lead etc.
We have defined and documented a SIRP (Security Incident Response Process), which defines roles and responses for any Incident starting from alerts to classification to communications and mitigation of the findings. We have a dedicated Security Incident team, consisting of our Senior Technicians and Management, CTO, Tech Lead etc.
We have a documented Disaster Recovery Process which is tested at least annually.
Our staff will happily provide you with documentation of our practices if requested.
For more information, please contact email@example.com