HqO Security Practices
Security is an integral component of our business. HqO’s customers and users entrust us with their work-life information, and we aim to process and store that information thoughtfully and intelligently.
We see our data security as a differentiator for us in the marketplace, and we have commitments from all levels of the business to resource it appropriately.
Our security team, including our Chief Information Security Officer, is comprised with individuals in leadership positions from our technology, legal, operations, human resources and financial teams.
We meet weekly for quick check-ins, monthly for official updates with our CISO, and we have more than twenty ceremonies throughout the year to covering a wide array of security-related activities to plan, execute, monitor and react with our ISMS.
Here is a list of the certifications and compliances we either have or are pursuing.
|SOC 2||✔||HqO is SOC-2 Type I certified and will become SOC-2 Type 2 certified in Q1 2021. We will maintain SOC-2 compliance thereafter as an annual ceremony. For a copy of our independent auditor’s report, please email us at [email protected]|
|GDPR, GDPR-UK||✔||HqO has been GDPR compliant since October 2019. Formerly covered by the Privacy Shield, we execute Standard Contractual Clauses with customers and plan to regionalize our architecture by Q3 2021.|
|CCPA||✔||Although we are not subject to CCPA based on its criteria, HqO has been CCPA compliant since October 2019. We will maintain CCPA compliance on each major and minor release of the regulation.|
|PIPEDA||✔||For our Canadian customers, we have maintained compliance with PIPEDA since Jan 2020.|
|Q1 2021||Our ISMS is geared towards ISO 27001. In December 2020, we passed our ISO Stage 1 audit and are scheduled for our Stage 2 audit on February 1st 2021. We aim to be certified for the framework by the end of Q1 2021.|
We believe that all of our users and customers have rights to their data, regardless of regulatory governance.
You may have the right to:
- Request access to the personal data we hold about you
- Request we correct any inaccurate personal data we hold about you
- Request we delete any personal data we hold about you (“Right to be Forgotten”). We have a process in place to ensure that HqO as well as any sub-processing entity are capable of supporting a user’s right to be forgotten.
- Restrict the processing of Personal Data we hold about youObject to the processing of Personal Data we hold about you
- Receive any Personal Data we hold about you in a structured and commonly used machine-readable format or have such Personal Data transmitted to another company.
- We host our system exclusively within AWS’s US East region. Our environments are logically separated by leveraging completely different AWS accounts for production, staging and development. Private VPCs in our production environment ensure communication between our services is protected from unauthorized connections. All data is encrypted in transmit and at rest (with AWS RDS Auroa MySQL).
To get a better sense of how are information security management system operates, here’s a list of a subset of our policies:
- Acceptable Use Policy
- Access Management Policy
- Assets Management Policy
- Backup Management Policy
- Change Management Policy
- Control of Operational Software Policy
- Cryptographic Policy
- Human Resource Security Policy
- Incident Response Policy
- Information Classification Policy
- Legal & Compliance Policy
- Logging and Monitoring Policy
- Mobile Device Management Policy
- Network Security Policy _ Network Transfer Management
- Physical Access Policy
- Risk Management Policy
- Vendor Relationship Policy
- Vulnerability Management Policy
If you’d like to learn more about a particular policy, please contact us at [email protected].