Decommissioning and Data Removal

All client data is held on Azure Cloud services, which adhere to a stringent decommissioning policy, as detailed on in their security fundamentals documentation:

“Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant.”

When a client’s services are decommissioned, the client’s environment and the data are deleted with immediate effect. Each user’s working data is stored as part of contact tracing from start and finish of the services. If the client requests to purge the data, we can setup automatic purge on regular intervals.

Reliability

Uptime

We recognise the value of dependability and strive towards 99.9% uptime. Constant performance and load tests are carried out. There is 24/7 monitoring of services with alerts configured in the rare case of downtime.

Vulnerability Management

There are security checks in place at every stage of the application pipeline. All code is analysed for security loopholes before builds are deployed. We utilize Software Composition Analysis (SCA) tools to ensure none of our third-party libraries come with a vulnerability. We also employ a Web Application Firewall (WAF) to prevent against OWASP Top 10 vulnerabilities.

Application Development

The development pipeline is subject to numerous security protocols. The Secure Software Development LifeCycle (SDLC) methodology is adhered to which ensures strong security posture. At the design stage, Threat-Modelling is carried out to ensure no fundamental architectural vulnerabilities/race-conditions are present in the design. All code is reviewed and must clear security validation before being deployed.

Internal Security

We have a thoroughly vetted Role Based Access Control (RBAC) policy to ensure principle of least privilege is enforced. Two Factor Authentication and strong passwords are enforced as part of Azure Identity Policy. Customer data access is limited to personnel who are necessary for customer support Privilege audits are carried out regularly with the help of Access logs as maintained as part of Azure Active Directory

Authentication

Authentication is done over encrypted connections. Any Identity Provider that supports OIDC or SAML can be integrated this include (Google SSO, Microsoft). A strong password policy is in place to ensure that easily guessable or brute-forcible passwords are not used.

Encryption

All data is encrypted at rest and in Transit. The minimum TLS version employed s 1.2 ensuring preventive measures against man-in-the-middle attacks. At rest all our data is encrypted with AES 256 to ensure maximum protections for customer data

Payments Information

We do not keep your credit/debit card information on our servers when you join up for a paid plan via credit/debit card. We currently use Stripe, which is PCI-compliant and devoted to securely storing sensitive payment data. A copy of their security practises may be seen here.

We do not keep any data that is subject to PCI regulatory obligations.

Data Collected

Our privacy policy contains an in-depth summary of the information we gather.

Calendar synchronisation

After connecting an external calendar account to HybridHero, our cloud service will begin synchronising data with the chosen room calendars. A subset of your calendar events and their data will be preserved in HybridHero as a result.

HybridHero will then synchronise this information with your calendar system. HybridHero events will also synchronise the data back to your calendar provider, ensuring that HybridHero and associated calendars remain constant. Synced event information includes:

• Title
• Description
• Start and end timings
• Location (e.g. “Conference Room – 001”)
• Organiser
• Attendee(s)

Additional restrictions can be applied by altering the permissions of the corresponding service account HybridHero uses to access your calendar system. See an example using Office 365 and Outlook for private meeting titles.

Event attachments are not saved. In our support centre, you may discover more about our unique connection procedures per service (for example, Outlook).

Disaster Recovery

All of our assets are zone-redundant with automatic failover configured in case of an outage. The customer data Recovery-Time-Objective (RTO) within our solution is just 4 to5 minutes. All of our assets are zone-redundant with automatic failover configured in case of an outage.

Incident Response

There is an extensive patch management procedure that ensures critical patches are applied within 48 hours of its release. Any outage to the services will be reported immediately. The first priority in case of an incident is identification of compromised access. Then the team will work to isolate or contain the damage. Then the offending component will be eradicated and measures will be put in place to ensure the incident is not repeated

Privacy

We take the security of your personal information extremely seriously and consider it an internal success indicator. Our privacy policy has a detailed overview.

Security Policies

All personnel are subject to tight security protocols that address permitted usage, customer data, and encryption requirements. Please contact your account manager if you would like a copy of our customer security statement.

How to contact us

We understand that these topics are important to you as well. If you have any more queries that have not been addressed here or by our Help Centre, please email here and we will respond as soon as possible.

We’d also want to hear from you if you feel you discovered a security flaw while using HybridHero. We place a high value on solving problems swiftly and ethically.