Data And Information Security
Certain capitalized terms used in this document are defined in specific agreements with Customers and/or the General Terms and Conditions found at https://hackdra.com/terms/, which are incorporated by reference. This document shall form a part of the Terms.
Policies and Procedures
Hackdra shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of Hackdra information systems and/or Customer’s Confidential Information. Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer’s information systems, including without limitation any hardware or software supporting Customer, and Customer’s Confidential Information.
Data is encrypted at rest using AES-256. We encrypt all network communications with TLS, Perfect Forward Secrecy, and HTTP Strict Transport Security (HSTS). We don’t store passwords; we store: bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))
Business Continuity and Disaster Recovery
Hackdra maintains a Business Continuity Plan and Disaster Recovery Plan, which ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. These Plans also include procedures for the restoration of systems, including the availability and access to personal data in a timely manner in the event of a physical or technical incident. Both Plans are updated and tested at least annually and are reviewed as part of our third party audits.
Hackdra shall engage one or more third parties to periodically (no less than annually) evaluate its processes and systems against industry accepted standards and to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer’s Confidential Information within Hackdra information systems as well as the maintenance and structure of Hackdra’s information systems. The results of these evaluations and any remediation activities taken in response to such evaluations will be documented and available to Customers upon request.
Identification and Authorization
Hackdra shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Hackdra information systems and areas in which Customer’s Confidential Information is stored or processed.
Visitor Access Logs
Hackdra shall maintain sign in access logs for visitors and guests and ensure that such visitors and guests are escorted while in the facility. In addition, these access logs shall be maintained in a secure location for three (3) months.
Hackdra shall maintain reasonable network perimeter controls such as firewalls at all perimeter connections. Hackdra shall periodically (no less than annually) evaluate its network perimeter controls.
Hackdra shall employ reasonable vulnerability management processes to mitigate data security risks to Customer’s Confidential Information. These processes shall include mitigation steps to resolve issues identified by Hackdra, Customer, or any regulator, auditor, or other external constituent of either party.
System configuration parameters shall include procedures to disable all unnecessary services on devices and servers. This practice shall at a minimum be applied to all systems that access, transmit, or store Customer’s Confidential Information.
Hackdra shall establish and adhere to policies and procedures for patching systems. Systems and applications used to access, process or store Customer’s Confidential Information shall be maintained at current stable patch level.
Hackdra shall install commercially reasonable anomaly detection software, to include anomaly / intrusion detections and deviations from standard system configuration, on all systems used to access, process or store Customer’s Confidential Information as well as other information that Hackdra hosts. In addition, definition files shall be updated regularly.
Hackdra shall maintain formal processes to detect, identify, report, respond to, and resolve any event that compromises the confidentiality, availability, or integrity of Customer’s data or service provider’s systems (“Security Incidents”) in a timely manner.
Hackdra shall immediately provide Customer with notification of any known or reasonably suspected breach of security relating to Customer Systems or Customer’s Confidential Information. Hackdra will notify Customer immediately following discovery of any suspected breach or compromise of the security, confidentiality, or integrity of any Customer’s Confidential Information. Written notification provided pursuant to this paragraph will include a brief summary of the available facts and the status of Hackdra’s investigation.
For all systems that access, transmit or store Customer’s Confidential Information, system logs shall be in place to uniquely identify individual users and their access to associated systems and to identify the attempted or executed activities of such users. All systems creating system logs shall be synchronized to a central time source. Reasonable processes shall be in place to review privileged access and identify, investigate and respond to suspicious or malicious activity. System log trails shall be secured in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. These logs shall be maintained in accordance with the retention requirements set forth in the Agreement or upon a mutual written agreement signed by both parties.
Hackdra shall maintain processes to determine whether a prospective member of Hackdra’s workforce is sufficiently trustworthy to work in an environment which contains Hackdra information systems and Customer’s Confidential Information.
Change Control Process
Hackdra shall maintain reasonable change control processes to approve and track all changes within Hackdra’s computing environment. Substantive changes to the Hackdra production environment require a separate tracking and review process with additional authorizations.
Protection of Storage Media
Hackdra shall ensure that storage media containing Customer’s Confidential Information is properly sanitized of all Customer’s Confidential Information or is destroyed prior to disposal or re-use for non-Hackdra processing. All media on which Customer’s Confidential Information is stored shall be protected against unauthorized access or modification. Hackdra shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of storage media used for Hackdra information systems or on which Customer’s Confidential Information is stored.
Hackdra shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Hackdra information systems and Customer’s Confidential Information. Hackdra personnel, who access systems that store, transmit or process Customer’s Confidential Information shall be assigned individual system accounts to ensure accountability for access granted. This information is logged and stored in accordance with Hackdra’s Data Retention guidelines.
Hackdra shall implement appropriate password parameters for systems that access, transmit or store Customer’s Confidential Information (“Related Systems”). Hackdra shall implement strong authentication services,complex passwords (“Passwords”), and Multi-factor Authentication (where applicable) for all network and systems access to Related Systems. Default manufacturer passwords used in Hackdra’s products shall be changed upon installation.
Hackdra shall ensure that any agent, including without limitation any third-party subprocessor or subcontractor, to whom Hackdra provides Customer’s Confidential Information agrees to maintain reasonable and appropriate safeguards to protect such Customer’s Confidential Information.
Data Portability & Ensuring Erasure
You may also contact us with your Personal information inquiries or for assistance in modifying or updating your Personal Information and to exercise any additional applicable statutory rights. We respect the privacy of all individuals and invite you to submit your requests, irrespective of where you reside. Please contact us here.
WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING