Hakkiri was built from the start to meet and exceed industry standards. We know that in the world of B2B SaaS solutions, trust is of the utmost importance. This is why we have implemented internal Security Controls to be in-line with ISO 27001 and SOC2. Additionally our policies, controls and functionality are fully compliant with the General Data Protection Regulation (GDPR).
Our Security roadmap includes external ISO 27001 and SOC2 Type II audits in 2021. Separately, we are always happy to work with prospective clients to walk through our controls in order to demonstrate we meet their own internal vendor standards. We also maintain a questionnaire in the format from the Vendor Security Alliance (VSA) for interested parties. Finally, we want to acknowledge and thank the folks at GitLab, Adobe, and StrongDM for their open-source materials that helped us establish our own Security Control Framework.
Client data is handled at the highest level of our Data Classification Matrix. It is prohibited from being stored locally on any endpoints. MongoDB Atlas is currently Hakkiri's primary and only data store. MongoDB Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest. Atlas encrypts all snapshot volumes. Backups are made multiple times a day.
Data in flight is encrypted with TLS/SSL and may only be accessed through an authenticated and authorized connection. There is no public access of client data of any kind.
We know strong security requires a chain of trust through all vendors used by all services involved in a solution. All vendors used by Hakkiri undergo a security assessment to ensure they are meeting or exceeding the same standards we hold for ourselves. This goes for any internal systems, not just those that makeup part of our platform products.
The main third-party providers of our application are world-class companies with enterprise trusted security. You can find their own security pages below:
Endpoint machines used by our employees and contractors are required to be encrypted and running an acceptable recent version of macOS plus Anti-Virus software. Additionally, they must have their Firewall enabled and use a strong password protecting login/unlock. We monitor these devices through a device management platform. Customer data is never needed to be on a local endpoint and is prohibited.
Our cloud resources are protected with AWS Web Application Firewall (WAF), undergo regular security scans covering the OWASP Top 10 most common application vulnerabilities, and only are exposed to the public if absolutely necessary. Otherwise, they are hosted in a private subnet, completely cut off from the public web.
Access to our platform uses Auth0 for authentication where the passwords they store are always hashed and salted using bcrypt. Our application offers three different roles that may be assigned within an organization depending on the level of access needed.
For all internal applications, we follow the principle of least privilege. Access to any of our tools must be approved based on whether access is needed to do their work. Access to customer data is granted only for support reasons, with approval from leadership.
We hold all employees and contractors to high ethical standards. Each must undergo a background check, sign our code of conduct and acceptable use policies, as well as take required security training.
We also have a quarterly internal audit process to ensure we are following our established Security Controls and updating them as needed.