Data Security
Product Security
Product security is of paramount importance at Hippobyte. Hippobyte uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process.
Hippobyte performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Hippobyte adoption. In this way Hippobyte is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Hippobyte is continuously improving our DevOps practice in an iterative fashion.
In-House Monitoring
Every day, our in-house systems collects all system logs, flags, and reports anomalies automatically to ensure 99.99% uptime
Data Center Security
The Hippobyte production infrastructure is hosted in Amazon Web Services (AWS). Physical and environmental security related controls for Hippobyte production servers, which includes buildings, locks or keys used on doors are managed by AWS. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”
Network Security
Hippobyte recognizes the diminishing utility of perimeter as concerns modern network security. Once that perimeter is breached services reliant on network security guarantees quickly fall. As such Hippobyte leverages internal services that require transport level security for network access and individually authenticate users, commonly by way of a central identity provider and leveraging two factor authentication wherever possible.
Segregation of Data
Although we provide our services on a centralized basis to allow our customers to share our infrastructure, the Hippobyte service keeps each customer’s data separate from the data of every other customer by our implemented access control policies. In turn, our data center partners use security controls to segregate the Hippobyte service from their other customers’ data by maintaining the service in its own protected environment and establishing robust, industry standard access control rules and best practices. Our security access controls provide assurances against unauthorized access to your account, whether by those who do not use the service or other Hippobyte customers.
Secure Communication
All data transmitted between Hippobyte and Hippobyte users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Hippobyte application is inaccessible. Hippobyte does not “fail open.” Hippobyte is careful not to log sensitive values in clear text.
Protection of Data at Rest
Customer data at Hippobyte is encrypted at rest using a secure symmetric cipher. AES with a key length of 256 bits is used for both storage of live service data and Hippobyte service backups.
Customer Data Storage Location
Hippobyte service data currently resides in the United States of America and primarily in the state of Oregon.
Data Retention
For Service users, we will retain your personally identifying information (PII) for as long as your account is active or as needed to provide you access and use rights with respect to the Service (which may include a limited 90-day tail period to, for example, allow for an orderly wind-down). Generally speaking, “full resolution” electronic information transmitted or received by you in relation to your use of the Service (which may include PII) will be retained for a rolling 15-month look-back period, after which such information may be aggregated on the basis of a one-minute resolution for the duration of the service period and any tail period. In addition, we may retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
Personally Identifiable Information (PII)
Certain visitors to the Website and Service choose to interact with Hippobyte in ways that require Hippobyte to gather personally identifiable information (PII). The amount and type of information that Hippobyte gathers depends on the nature of the interaction. For example, when signing up for a trial of the Service, we may ask a user to provide the user’s name and the name of the user’s company, as well as an email address and telephone number where we may contact the user and/or another representative of the user’s company. Each user is also expected to provide a username and password that, along with other information, we use to create and administer accounts. In each case, Hippobyte collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Hippobyte.
Hippobyte does not disclose PII other than as described in the Hippobyte Privacy Policy. In addition, visitors can always refuse to supply personally identifying information, with the caveat that it may prevent them from engaging in certain activities.
Security Patches
Servers in the production environment receive software patches released through our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.
Security Awareness Training
All Hippobyte personnel undergo an annual security awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.