HqO Security Practices
Security is an integral component of our business. HqO’s customers and users entrust us with their work-life information, and we aim to process and store that information thoughtfully and intelligently.
We see our data security as a differentiator for us in the marketplace, and we have commitments from all levels of the business to resource it appropriately.
Our security team, including our Chief Information Security Officer, is comprised with individuals in leadership positions from our technology, operational, human resources, financial and accounts groups.
We meet weekly for quick check-ins, monthly for more official updates with our CISO, and we have more than twenty ceremonies throughout the year to covering a wide array of security-related activities to plan, execute, monitor and react to our data security initiatives.
Here is a list of the certifications and compliances we either have or are pursuing.
|SOC 2||✔||HqO is SOC-2 Type I compliant. We are pursuing Type 2 certification for Q3/Q4 2020 and have already begun the readiness assessment work. We will maintain SOC-2 compliance thereafter as an annual ceremony. For a copy of our independent auditor’s report, please email us at [email protected]|
|GDPR||✔||HqO is GDPR compliant as of October 15th, 2019.|
|CCPA||✔||Although we are not subject to CCPA based on its criteria, HqO will be CCPA compliant on or about October 31, 2019; ahead of its official effective date of January 1, 2020.|
|EU-US, Swiss-US Privacy Shield||✔||HqO has been accepted to the EU-U.S. and the Swiss-U.S. Privacy Shields on November 5th, 2019.|
|Certification planned for 2021||Our ISMS is geared towards ISO 27001, and we were scheduled for Stage 2 of our ISO certification in March of 2020, and have been delayed on finishing our certification because of COVID-19.|
We believe that all of our users and customers have rights to their data, regardless of regulatory governance.
You may have the right to:
- Request access to the personal data we hold about you
- Request we correct any inaccurate personal data we hold about you
- Request we delete any personal data we hold about you (“Right to be Forgotten”). We have a process in place to ensure that HqO as well as any sub-processing entity are capable of supporting a user’s right to be forgotten.
- Restrict the processing of Personal Data we hold about youObject to the processing of Personal Data we hold about you
- Receive any Personal Data we hold about you in a structured and commonly used machine-readable format or have such Personal Data transmitted to another company.
- We host our system exclusively within AWS’s US East region. Our environments are logically separated by leveraging completely different AWS accounts for production, staging and development. Private VPCs in our production environment ensure communication between our services is protected from unauthorized connections. All data is encrypted in transmit and at rest (with AWS RDS Auroa MySQL).
To get a better sense of how are information security management system operates, here’s a list of a subset of our policies:
- Acceptable Use Policy
- Access Management Policy
- Assets Management Policy
- Backup Management Policy
- Change Management Policy
- Control of Operational Software Policy
- Cryptographic Policy
- Human Resource Security Policy
- Incident Response Policy
- Information Classification Policy
- Legal & Compliance Policy
- Logging and Monitoring Policy
- Mobile Device Management Policy
- Network Security Policy _ Network Transfer Management
- Physical Access Policy
- Risk Management Policy
- Vendor Relationship Policy
- Vulnerability Management Policy
If you’d like to learn more about a particular policy, please contact us at [email protected].