newAutomated features for the hybrid workplace
Read more
PLATFORM SECURITY
Keeping your data safe
Data Security
To protect your data, we use a secure infrastructure, a dedication to dependability, and third-party testing.
Privacy
We take the security of your visitors’ and workers’ information extremely seriously. Our rules and processes are intended to keep this information safe during its collection, use, and dissemination.
Compliance
We are devoted to assisting you in meeting your compliance plans while also improving our own body of certifications.
Keeping Your Data Secure
Our Infrastructure
Data Security
We are on the Azure Cloud. It undergoes numerous third-party security audits. It follows the highest industry standards in information security and operational compliance certifications such as ISO 27001 and SOC-2.
Data Residency
Our servers are accessible worldwide and are located in the UK and Australia to comply with different data protection schemes of the regions. We have Content Delivery Networks (CDNs) worldwide to ensure the lowest possible latency for users. No sensitive or private information is shared with these auxiliary services. Furthermore, all our data is encrypted at rest and in transit.
Data Deactivation and Deletion
All customer data is stored on Azure Cloud services, which adhere to strict deactivation policies, as detailed in their security fundamentals documentation:
“Microsoft uses best practice procedures and a deletion solution that complies with NIST 800-88.”
When a customer’s services are deactivated, the customer’s environment and data are immediately deleted. Each user’s work data is stored as part of contact tracing from the beginning to the end of the services. If the customer requests data purging, we can configure automatic purging at regular intervals.
Reliability
Availability
We recognize the value of reliability and strive to achieve a 99.9% uptime. Performance and load testing are constantly performed. Services are monitored 24/7 with alerts configured in the rare case of downtime.
Vulnerability Management
Security controls exist at every stage of the application pipeline. All code is scanned for security vulnerabilities before deployment. We use Software Composition Analysis (SCA) tools to ensure none of our third-party libraries have vulnerabilities. We also employ a Web Application Firewall (WAF) to prevent the top 10 OWASP vulnerabilities.
Application Development
The development pipeline is subject to numerous security protocols. The Secure Software Development Lifecycle (SDLC) methodology is followed to ensure a strong security posture. In the design stage, Threat Modeling is carried out to ensure there are no fundamental architectural vulnerabilities or race conditions in the design. All code is reviewed and must pass security validation before being deployed.
Internal Security
We have a meticulously evaluated Role-Based Access Control (RBAC) policy to ensure the principle of least privilege is applied. Two-Factor Authentication and strong passwords are required as part of the Azure Identity Policy. Access to customer data is limited to the personnel necessary for customer support. Privilege audits are conducted regularly with the help of access logs as part of Azure Active Directory.
Authentication
We have a meticulously evaluated Role-Based Access Control (RBAC) policy to ensure the principle of least privilege is applied. Two-Factor Authentication and strong passwords are required as part of the Azure Identity Policy. Access to customer data is limited to the personnel necessary for customer support. Privilege audits are conducted regularly with the help of access logs as part of Azure Active Directory.
Encryption
All data is encrypted at rest and in transit. The minimum TLS version used is 1.2, ensuring preventative measures against man-in-the-middle attacks. At rest, all our data is encrypted with AES 256 to ensure maximum customer data protection.
Payment Information
We do not retain your credit/debit card information on our servers when you subscribe with a credit/debit card. We currently use Stripe, which is PCI-compliant and dedicated to securely storing sensitive payment data. A copy of their security practices can be viewed here.
We do not retain any data subject to PCI regulatory obligations.
Data Collected
Our privacy policy contains a detailed summary of the information we collect.
Calendar Sync
After connecting an external calendar account to HybridHero, our cloud service will begin synchronizing data with the selected room calendars. A subset of your calendar events and their data will be retained in HybridHero as a result.
HybridHero will then synchronize this information with your calendar system. HybridHero events will also synchronize data back to your calendar provider, ensuring consistency between HybridHero and associated calendars. Synchronized event information includes:
- Title
- Description
- Start and end times
- Location (e.g., “Conference Room – 001”)
- Organizer
- Attendee(s)
Event attachments are not saved. In our support center, you can learn more about our unique service connection procedures (e.g., Outlook).
Disaster Recovery
All our assets are redundant in fault-tolerant zones with automatic failover configured in case of an outage. The customer’s Data Recovery Time (RTO) within our solution is only 4 to 5 minutes.
Incident Response
We have an extensive patch management procedure that ensures critical patches are applied within 48 hours of release. Any disruptions in services are immediately reported. The first priority in the event of an incident is identifying compromised access. The team then works to isolate or contain the damage. The culpable component is then removed, and measures are taken to ensure the incident does not recur.
Privacy
We take the security of your personal information extremely seriously and consider it an internal measure of success. Our privacy policy provides a detailed description.
Security Policies
All staff are subject to strict security protocols addressing permissible use, customer data, and encryption requirements. If you would like a copy of our security statement for customers, please contact your account manager.
How to Contact Us
We understand that these matters are important to you as well. If you have further questions not answered here or in our Help Center, please email us here, and we will respond as soon as possible.
We would also appreciate hearing from you if you discover any security vulnerabilities while using HybridHero. We highly value the quick and ethical resolution of issues.
Privacy Protection
European Union General Data Protection Regulation (EU GDPR)
The General Data Protection Regulation (GDPR) is a set of laws aimed at standardizing data privacy laws across Europe and enhancing privacy restrictions for residents of the European Union. GDPR applies to companies from other countries offering products or services to individuals in the EU, in addition to all companies within the EU.
United Kingdom Data Protection Act (DPA)
The Data Protection Act 2018 (c. 12) is a UK Parliament law that updates data protection laws in the UK. It is a national law that is the UK’s implementation of the European Union General Data Protection Regulation (EU GDPR).
Australian Privacy Act (APA)
The Privacy Act 1988 is the primary Australian law that governs the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information in the federal public sector and in the private sector. It is a national law that is Australia’s implementation of the European Union General Data Protection Regulation (EU GDPR).
Is HybridHero Compliant with GDPR, DPA, and APA?
Yes, HybridHero’s services comply with GDPR, DPA, and APA. The regulations assign different roles to companies based on how they interact with consumer data. As we process personal data on behalf of our customers, who are data controllers, HybridHero is classified as a data processor.
As a data processor, we have prepared for GDPR in the following ways:
- Updating our privacy policy to make it clear how we process customer data.
- Confirming that the providers we use also comply with GDPR.
- Developing an internal process that allows our customers to request the anonymization of their data.
- Publishing a Data Processing Addendum that helps our customers fulfill their GDPR contractual obligations, which is included in our UK and Australia Terms and Conditions.
How Will HybridHero Visitor Management Support Your GDPR Compliance Efforts?
HybridHero customers are considered data controllers as they collect personal data for the purpose of their business. The use of HybridHero Visitor Management will support your GDPR compliance efforts in the following ways:
- Maintain visitor data confidentiality by having them register on an iPad instead of a visible logbook.
- Allow visitors to choose whether or not to provide personal information.
- Create a customized privacy policy document in HybridHero and make it available to visitors on the iPad.
- Request anonymization of your visitor data when necessary.
For more information or if you have any questions about HybridHero’s GDPR compliance, please email us or refer to our privacy policy.
Compliance Support
Privacy Policy
We understand the impact that compliance regulations have on your organization at Hybrid Hero. That’s why we are committed to providing tools that assist you with your compliance strategies while improving our own collection of certifications.
Customers like Hooyu (KYC platform), Coface (insurance), and the Judicial Appointments Commission (government), to name a few, rely on HybridHero’s ability to help businesses comply with rigorous security requirements and obtain certifications.
- European Union General Data Protection Regulation (EU GDPR)
- United Kingdom Data Protection Act (DPA)
- Australian Privacy Act (APA)
- Service Organization Controls (SOC)