Data Secuirty – Keeping you Safe​​
Data Security

To protect your data, we use a secure infrastructure, a dedication to dependability, and third-party testing.


We take the security of your visitors’ and workers’ information extremely seriously. Our rules and processes are intended to keep this information safe during its collection, use, and dissemination.


We are devoted to assisting you in meeting your compliance plans while also improving our own body of certifications.

Keeping you Safe

Our Infastructure

Data Security

We are on the Azure Cloud. It is subject to numerous third-party security Audits. It follows the highest industry standards in information and operational security compliance certifications such as ISO 27001 and SOC-2.

Data Residency

Our servers are accessible world-wide and are located in the United Kingdom and Australia to abide by different data protection schemes of the regions. We are aided by Content Delivery Networks (CDNs) around the world to ensure users experience the least latency. No sensitive or private information is shared to these leaf services. In Addition, all our data is encrypted at rest and in transit.

Data Security Diagram

Decommissioning and Data Removal

All client data is held on Azure Cloud services, which adhere to a stringent decommissioning policy, as detailed on in their security fundamentals documentation:

“Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant.”

When a client’s services are decommissioned, the client’s environment and the data are deleted with immediate effect. Each user’s working data is stored as part of contact tracing from start and finish of the services. If the client requests to purge the data, we can setup automatic purge on regular intervals.



We recognise the value of dependability and strive towards 99.9% uptime. Constant performance and load tests are carried out. There is 24/7 monitoring of services with alerts configured in the rare case of downtime.

Vulnerability Management

There are security checks in place at every stage of the application pipeline. All code is analysed for security loopholes before builds are deployed. We utilize Software Composition Analysis (SCA) tools to ensure none of our third-party libraries come with a vulnerability. We also employ a Web Application Firewall (WAF) to prevent against OWASP Top 10 vulnerabilities.

Application Development

The development pipeline is subject to numerous security protocols. The Secure Software Development LifeCycle (SDLC) methodology is adhered to which ensures strong security posture. At the design stage, Threat-Modelling is carried out to ensure no fundamental architectural vulnerabilities/race-conditions are present in the design. All code is reviewed and must clear security validation before being deployed.

Internal Security

We have a thoroughly vetted Role Based Access Control (RBAC) policy to ensure principle of least privilege is enforced. Two Factor Authentication and strong passwords are enforced as part of Azure Identity Policy. Customer data access is limited to personnel who are necessary for customer support Privilege audits are carried out regularly with the help of Access logs as maintained as part of Azure Active Directory


Authentication is done over encrypted connections. Any Identity Provider that supports OIDC or SAML can be integrated this include (Google SSO, Microsoft). A strong password policy is in place to ensure that easily guessable or brute-forcible passwords are not used.


All data is encrypted at rest and in Transit. The minimum TLS version employed s 1.2 ensuring preventive measures against man-in-the-middle attacks. At rest all our data is encrypted with AES 256 to ensure maximum protections for customer data

Payments Information

We do not keep your credit/debit card information on our servers when you join up for a paid plan via credit/debit card. We currently use Stripe, which is PCI-compliant and devoted to securely storing sensitive payment data. A copy of their security practises may be seen here.

We do not keep any data that is subject to PCI regulatory obligations.

Data Collected

Our privacy policy contains an in-depth summary of the information we gather.

Calendar synchronisation

After connecting an external calendar account to HybridHero, our cloud service will begin synchronising data with the chosen room calendars. A subset of your calendar events and their data will be preserved in HybridHero as a result.

HybridHero will then synchronise this information with your calendar system. HybridHero events will also synchronise the data back to your calendar provider, ensuring that HybridHero and associated calendars remain constant. Synced event information includes:

  • Title
  • Description
  • Start and end timings
  • Location (e.g. “Conference Room – 001”)
  • Organiser
  • Attendee(s)

Additional restrictions can be applied by altering the permissions of the corresponding service account HybridHero uses to access your calendar system. See an example using Office 365 and Outlook for private meeting titles.

Event attachments are not saved. In our support centre, you may discover more about our unique connection procedures per service (for example, Outlook).

Disaster Recovery

All of our assets are zone-redundant with automatic failover configured in case of an outage. The customer data Recovery-Time-Objective (RTO) within our solution is just 4 to5 minutes. All of our assets are zone-redundant with automatic failover configured in case of an outage.

Incident Response

There is an extensive patch management procedure that ensures critical patches are applied within 48 hours of its release. Any outage to the services will be reported immediately. The first priority in case of an incident is identification of compromised access. Then the team will work to isolate or contain the damage. Then the offending component will be eradicated and measures will be put in place to ensure the incident is not repeated


We take the security of your personal information extremely seriously and consider it an internal success indicator. Our privacy policy has a detailed overview.

Security Policies

All personnel are subject to tight security protocols that address permitted usage, customer data, and encryption requirements. Please contact your account manager if you would like a copy of our customer security statement.

How to contact us

We understand that these topics are important to you as well. If you have any more queries that have not been addressed here or by our Help Centre, please email here and we will respond as soon as possible.

We’d also want to hear from you if you feel you discovered a security flaw while using HybridHero. We place a high value on solving problems swiftly and ethically.

Privacy Protection

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a collection of legislation intended to standardise data privacy laws throughout Europe and improve privacy restrictions for European Union residents. GDPR applies to firms in other countries that supply products or services to EU people, in addition to all enterprises within the EU.

UK Data Protection Act (DPA)

The Data Protection Act 2018 (c. 12) is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which is the UK’s implementation of the European Union’s General Data Protection Regulation (GDPR).

Australian Privacy Act (APA)

The Privacy Act 1988 is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector. It is a national law which is Australia’s implementation of the European Union’s General Data Protection Regulation (GDPR).

Is HybridHero GDPR, DPA & APA Compliant?

Yes, HybridHero services are GDPR, DPA and APA compliant. The rule assigns distinct functions to corporations based on how they interact with consumer data. Because we process personal data on behalf of our clients, who are data controllers, HybridHero is classified as a data processor.

As a data processor, we have prepared for GDPR by:

  • Updating our privacy policy to make it clear how we process our customers’ data
  • Confirming that the vendors we use also adhere to GDPR
  • Developing an internal process that allows our customers to request anonymisation of their data
  • Publishing a Data Processing Addendum that assists our customers in meeting their GDPR contractual obligations which is included in our UK and Australian Terms & Conditions.

How HybridHero Visitor Management (coming soon) will help support your GDPR compliance efforts

HybridHero clients are considered data controllers since they are gathering personal data for their company’s purpose. In the following ways, using HybridHero Visitor Management will help support your GDPR compliance efforts:

  • Keep visitor data confidential by having them sign in on an iPad rather than a visible logbook.
  • Allow visitors to choose whether or not to provide personal information.
  • Create a bespoke privacy policy document in HybridHero and make it available to visitors on the iPad.
  • When required, request that your visitor data be anonymized.
For more information or if you have any issues concerning HybridHero’s GDPR compliance, please email us or see our privacy policy.

Compliance Support

Privacy policy

We understand the impact that compliance standards have on your organisation at Hybrid Hero. That is why we are committed to delivering tools that will help you with your compliance strategies while also improving our own body of certifications.

Customers include Hooyu (KYC Platform), Coface (insurance), and the Judicial Appointments Commission (government), to mention a few. They are all confident in HybridHero’s ability to assist companies in meeting stringent security requirements and obtaining certifications.

  • EU General Data Protection Regulation (GDPR)
  • UK Data Protection Act (DPA)
  • Australian Privacy Act (APA)
  • Service Organization Controls (SOC)