Hackdra Cybersecurity - Privacy Policy

Data And Information Security

security@hackdra.com
Effective Date: January 1, 2023

Certain capitalized terms used in this document are defined in specific agreements with Customers and/or the General Terms and Conditions found at https://hackdra.com/terms/, which are incorporated by reference. This document shall form a part of the Terms.

Policies and Procedures

Hackdra shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of Hackdra information systems and/or Customer’s Confidential Information. Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer’s information systems, including without limitation any hardware or software supporting Customer, and Customer’s Confidential Information.

Encryption

Data is encrypted at rest using AES-256. We encrypt all network communications with TLS, Perfect Forward Secrecy, and HTTP Strict Transport Security (HSTS). We don’t store passwords; we store: bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))

Business Continuity and Disaster Recovery

Hackdra maintains a Business Continuity Plan and Disaster Recovery Plan, which ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. These Plans also include procedures for the restoration of systems, including the availability and access to personal data in a timely manner in the event of a physical or technical incident. Both Plans are updated and tested at least annually and are reviewed as part of our third party audits.

Security Evaluations

Hackdra shall engage one or more third parties to periodically (no less than annually) evaluate its processes and systems against industry accepted standards and to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer’s Confidential Information within Hackdra information systems as well as the maintenance and structure of Hackdra’s information systems. The results of these evaluations and any remediation activities taken in response to such evaluations will be documented and available to Customers upon request.

Identification and Authorization

Hackdra uses technical and organizational measures to protect the Personal Information that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems. Please see Hackdra Privacy Policy.

Physical Security

Hackdra shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Hackdra information systems and areas in which Customer’s Confidential Information is stored or processed.

Visitor Access Logs

Hackdra shall maintain sign in access logs for visitors and guests and ensure that such visitors and guests are escorted while in the facility. In addition, these access logs shall be maintained in a secure location for three (3) months.

Perimeter Controls

Hackdra shall maintain reasonable network perimeter controls such as firewalls at all perimeter connections. Hackdra shall periodically (no less than annually) evaluate its network perimeter controls.

Vulnerability Management

Hackdra shall employ reasonable vulnerability management processes to mitigate data security risks to Customer’s Confidential Information. These processes shall include mitigation steps to resolve issues identified by Hackdra, Customer, or any regulator, auditor, or other external constituent of either party.

System Hardening

System configuration parameters shall include procedures to disable all unnecessary services on devices and servers. This practice shall at a minimum be applied to all systems that access, transmit, or store Customer’s Confidential Information.

Patch Management

Hackdra shall establish and adhere to policies and procedures for patching systems. Systems and applications used to access, process or store Customer’s Confidential Information shall be maintained at current stable patch level.

Anomaly Detection

Hackdra shall install commercially reasonable anomaly detection software, to include anomaly / intrusion detections and deviations from standard system configuration, on all systems used to access, process or store Customer’s Confidential Information as well as other information that Hackdra hosts. In addition, definition files shall be updated regularly.

Incident Response

Hackdra shall maintain formal processes to detect, identify, report, respond to, and resolve any event that compromises the confidentiality, availability, or integrity of Customer’s data or service provider’s systems (“Security Incidents”) in a timely manner.

Incident Notification

Hackdra shall immediately provide Customer with notification of any known or reasonably suspected breach of security relating to Customer Systems or Customer’s Confidential Information. Hackdra will notify Customer immediately following discovery of any suspected breach or compromise of the security, confidentiality, or integrity of any Customer’s Confidential Information. Written notification provided pursuant to this paragraph will include a brief summary of the available facts and the status of Hackdra’s investigation.

System Logs

For all systems that access, transmit or store Customer’s Confidential Information, system logs shall be in place to uniquely identify individual users and their access to associated systems and to identify the attempted or executed activities of such users. All systems creating system logs shall be synchronized to a central time source. Reasonable processes shall be in place to review privileged access and identify, investigate and respond to suspicious or malicious activity. System log trails shall be secured in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. These logs shall be maintained in accordance with the retention requirements set forth in the Agreement or upon a mutual written agreement signed by both parties.

Background Checks

Hackdra shall maintain processes to determine whether a prospective member of Hackdra’s workforce is sufficiently trustworthy to work in an environment which contains Hackdra information systems and Customer’s Confidential Information.

Change Control Process

Hackdra shall maintain reasonable change control processes to approve and track all changes within Hackdra’s computing environment. Substantive changes to the Hackdra production environment require a separate tracking and review process with additional authorizations.

Protection of Storage Media

Hackdra shall ensure that storage media containing Customer’s Confidential Information is properly sanitized of all Customer’s Confidential Information or is destroyed prior to disposal or re-use for non-Hackdra processing. All media on which Customer’s Confidential Information is stored shall be protected against unauthorized access or modification. Hackdra shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of storage media used for Hackdra information systems or on which Customer’s Confidential Information is stored.

System Accounts

Hackdra shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Hackdra information systems and Customer’s Confidential Information. Hackdra personnel, who access systems that store, transmit or process Customer’s Confidential Information shall be assigned individual system accounts to ensure accountability for access granted. This information is logged and stored in accordance with Hackdra’s Data Retention guidelines.

Passwords

Hackdra shall implement appropriate password parameters for systems that access, transmit or store Customer’s Confidential Information (“Related Systems”). Hackdra shall implement strong authentication services,complex passwords (“Passwords”), and Multi-factor Authentication (where applicable) for all network and systems access to Related Systems. Default manufacturer passwords used in Hackdra’s products shall be changed upon installation.

Third Parties

Hackdra shall ensure that any agent, including without limitation any third-party subprocessor or subcontractor, to whom Hackdra provides Customer’s Confidential Information agrees to maintain reasonable and appropriate safeguards to protect such Customer’s Confidential Information.

Data Minimization

We process Personal Information that you actively submit to us, that we automatically collect through your use of our Services, and that we collect from third-parties for the following reasons We may, when securing our website and Services, collect details about your device, your computer’s internet protocol (IP addresses) and other technical information, through our data security and firewall providers and/or when marketing our Services, we may collect identity and contact data from publicly available sources. For compliance with applicable laws (including but not limited to anti-money laundering and financing laws and regulations), we may through third parties who use verification providers or due diligence, and screening information providers verify your information and collect information from publicly available sources or check data against government sanction lists. Please see Hackdra Privacy Policy.

Data Quality

Subject to where you are based you may have rights under data protection and privacy laws, including but not limited to the CCPA and the EU General Data Protection Regulation (“GDPR”). Under these laws, individuals have the right to access Personal Information and to correct, amend, restrict, or delete that information where it is inaccurate, or has been processed in violation of your rights, except in some cases where their request is manifestly unfounded or excessive, or where certain other circumstances apply, for example where the rights of persons other than the individual will be violated. Please see Hackdra Privacy Policy.

Data Retention

Hackdra retains Personal Information for a reasonable time period to fulfill the processing purposes. Please see Hackdra Privacy Policy.

Data Portability & Ensuring Erasure

You may also contact us with your Personal information inquiries or for assistance in modifying or updating your Personal Information and to exercise any additional applicable statutory rights. We respect the privacy of all individuals and invite you to submit your requests, irrespective of where you reside. Please contact us here.

WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING