Security and Privacy
security and privacy
Here are the most frequently asked questions and answers regarding how Hyperproof handles data security and privacy.
Which cybersecurity certifications has Hyperproof completed?
Hyperproof has received SOC 2 Type 2 and HIPAA certifications. Hyperproof’s SOC 2 service commitments and system requirements were achieved based on the trust services criteria relevant to Security, Availability, and Confidentiality set forth in TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
For Hyperproof’s HIPAA certification, the controls implemented by Hyperproof are those that address the HIPAA Security Final Rule in regards to user entities’ ePHI data.
Where is my data hosted?
Hyperproof is hosted in Microsoft Azure datacenters in the United States. Our relational data is stored in an Azure Postgres database segmented by customers. Azure Blob storage is used for uploaded proof files. All data is transmitted encrypted using industry standard TLS 1.2 or TLS 1.3 both inside and outside the datacenter. All storage is encrypted at rest using industry standard AES 256 encryption at rest. Postgres is backed up continuously with snapshots taken no less frequently than every 5 minutes. Blob storage has a read-only geo-replicated failover replica which is synchronized on write to the primary.
How is data in my Hyperproof account protected?
We take multiple measures to protect your data.
- Best-in-class software development lifecycle security practices: We use code review best practices, automated tests, a suite of tools (e.g., networking scanning, vulnerability scanning), and third-party security services to ensure the security of our codebase.
- Robust infrastructure security: Hyperproof’s production servers and data are hosted in Microsoft Azure. Microsoft employs a robust physical security program with multiple certifications, including an SSAE 16 certification, ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. For a full list of additional compliance standards supported in Azure and their physical security please visit the Azure compliance page and this article.
- Processes to ensure data security including the following:
- Infrastructure management policies: Hyperproof datacenter infrastructure policies cover escalation, management, knowledge sharing, risk management, and day-to-day operations and are SOC 2 compliant.
- Data Access: Only a limited set of employees can access customer data stored in our databases. There are strict security policies for employee access; logins and resource modifications are logged and monitored. We limit access to customer data to employees with a job-related need and require all these staff members to sign a confidentiality agreement and complete a comprehensive criminal background check. Accessing customer data is only done on an as-needed basis, and only when approved by the customer or under authorization from senior management and security for the purposes of providing support, maintenance, or improving service quality.
- Encrypted communication: Hyperproof uses Transport Layer Security (TLS) 1.2 with a preferred AES 256 bit algorithm in CBC mode and 2048-bit server key length with industry-leading modern browsers. When you access Hyperproof via web browser, TLS technology protects your information using both server authentication and data encryption. This is equivalent to network security methods used in banking and leading e-commerce sites. Communication is encrypted to/from the Hyperproof service and between all services/components within the Hyperproof hosted service.
- Encryption at rest: All data stored in the Hyperproof application including users, relational data, file uploads, passwords, and access tokens are encrypted at rest using 256-bit AES encryption and is FIPS 140-2 compliant.
- Physical security measures: Our office is secured via keycard access at all entries to the building and entries to the Hyperproof offices. Keycard access is logged, and visitors are recorded using auditable software at our front desk.
- Corporate policies and procedures: Every Hyperproof employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at https://hyperproof.io/terms-of-use/ and https://hyperproof.io/privacy-policy/.
Can I control who can access data within my account?
Yes, you can configure security policies and permissions on a granular level.
- Authentication: Each user in Hyperproof has a unique, password-protected account with a verified email address. User accounts and passwords are authenticated using Azure Active Directory B2C supporting Office 365 accounts, Google accounts, or username/password. Hyperproof does not store or manage passwords for O365 or Google accounts. In the latter option, passwords are stored with one-way encryption in the Azure Active Directory. In all cases, passwords are never readable by the Hyperproof application or Hyperproof employees. In addition, Hyperproof supports SAML integration with Okta, ForgeRock, and Fortinet.
- User management: Administrators can see user invitation status and update user roles and permissions, or deprovision users from a central administration interface accessible in their organization instance.
- Privacy, Visibility, and Sharing Settings: Customers determine who can access different categories of data like Programs, Controls, Labels, and Proof. Customer data, including Labels and Proof, can only be accessed by other users within your Hyperproof account if those items are specifically shared with them or if they are placed in shared Controls or Labels. These permissions are always viewable by organization administrators and object owners in Hyperproof.
Can Hyperproof ensure that my data is available when I need it?
We are committed to making Hyperproof highly available to you and your teams. We are always working to improve the built-in redundancy to our systems to withstand failures and are constantly monitoring them to ensure minimum interruption to our customers. You can access our system status page at https://status.hyperproof.io/
What is Hyperproof’s data backup and recovery policy?
Postgres relational data is backed up continuously with snapshots taken at least every 5 minutes. Blob storage has a read-only geo-replicated failover replica which is synchronized on write to the primary.
All compliance data and files in Hyperproof can be exported in common formats such as CSV format.
What is Hyperproof’s data retention policy?
All data is retained while customer accounts are active. Hyperproof can delete all customer data upon request at service cancellation; otherwise data is retained for a limited time period to allow for service restoration and backup. If a customer stops using Hyperproof, their data is retained until the customer requests the removal of their data.
Does Hyperproof maintain logs for your service operations?
Hyperproof maintains logs for our service operation as well as for operations that occur inside Hyperproof. Operational logs are used for diagnosing and troubleshooting issues only by employees who have passed our comprehensive background checks. PII data is not logged.
Hyperproof user activity logs are available in the activity feeds of the product and we maintain additional logs regarding user invitations and access control changes.
How can I report security concerns?
Please use email@example.com to report security or related concerns.