Security is an integral component of our business. HqO's customers and users entrust us with their work-life information, and we aim to process and store that information thoughtfully and intelligently.
Our security team has designed and implemented a comprehensive information security management system (ISMS) program following the best practices described in ISO 27001 and NIST frameworks. The team aims to continuously improve the ISMS program alongside the business growth, reach, and input from various stakeholders including customers and regulators.
On this page, we describe the various security measures and compliance overviews at HqO. For more information about our security measures, please contact [email protected].
HqO is ISO 27001:2013 certified. The certification covers the ISMS supporting the confidentiality, integrity, and availability of customer data, supplier information, and HqO's internal data related to developing, operating, and planning a workplace experience platform environment.
HqO has obtained the SOC 2 Type II report by an examination of an independent third party. The report helps understand the controls HqO has established to support operations and compliance. The report is available upon request.
CSA Star Level 1
HqO has completed and regularly maintains the correctness of answers for security self-assessment (CAIQ v4.02) from Cloud Security Alliance (CSA). The completed questionnaire gives comprehensive information about the security practices that are in place at HqO.
HqO also leverages a number of third-party applications and services in support of the delivery of our solution to customers. We recognize that the company's information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, we have established a vendor management program that sets forth the requirements to be established and agreed upon when HqO engages with third parties or external vendors. For a complete list of HqO's sub-processors, please refer to our Data Processing Addendum document on our Legal Hub.
HqO maintains a comprehensive set of security policies and procedures which are communicated and accessible to all employees. We ask our employees during their onboarding and annually thereafter to read and understand these policies and procedures. We also plan, run, and continuously improve security awareness campaigns across the company to ensure all employees are aware of security best practices and how to best protect customers and other business information.
All policies and procedures that we have internally are bound to regular review at least annually. We also perform tests and compliance controls on all these areas to ensure that the measures are running effectively.
We host customer data on Amazon Web Services (AWS) infrastructure in the US East region data center located in Northern Virginia and the EU Central region data center located in Frankfurt, Germany. All primary instances of our infrastructure are replicated in real-time to secondary instances across multiple availability zones to ensure high availability service.
All data is encrypted during transmission and at rest. Backup snapshots of the database are captured at 5-minute intervals and retained for 30 days.
For ensuring the continuous security of our production environment, security vulnerability scanning is performed every 2 weeks using a third-party solution. Every year an external party performs a penetration test on our applications (web and mobile) and infrastructure. All identified observations are tracked and resolved according to the policy and procedure previously defined.
Frequently asked questions
We collect, store, and process a very limited amount of personal data from customers to deliver our service, such as name, work email address, and main work location.