Security

Over 1500+ businesses worldwide use Hiver and they count on us to keep their data safe and secure. Hiver takes data security and privacy very seriously. We’ve especially developed processes, technologies and policies to ensure that we deliver on our data security promise.

This document outlines some of the mechanisms and processes that we’ve implemented to keep your data safe and secure.

Transparency & Data Privacy

We believe that security policies should be absolutely transparent to the customers and the measures are outlined below.

Privacy Policy

The Hiver privacy policy is accessible at https://hiverhq.com/privacy and is strictly adhered to by all Hiver processes and our employees.

User Email data stored with Hiver

Hiver does not store any email data on its servers apart from the email identifiers (Message-ID) and the email subject which helps Hiver to identify emails uniquely across your team. Neither the email headers (TO, FROM, CC), nor the email body (including the attachments) are stored with Hiver.

Hiver stores raw email data temporarily in an encrypted state while it syncs emails across Gmail accounts. This duration will never exceed 10 minutes for 99% of the emails. When the emails have been successfully synced across Gmail accounts, the data is deleted permanently.

User data being passed to 3rd party services

Hiver collects the user activity data on Hiver and sends it to these 3rd party analytics services:

The data passed to the above mentioned services are only related to the user activity on Hiver app. The purpose of collecting this data is to understand product usage and apply the same to improve the app. No part of the users' personal data (including email data, Hiver feature specific data or any other personal information) is ever passed to any 3rd party services.

Users can opt of the user activity tracking by dropping us an email at support@hiverhq.com mentioning the same.

Security Practices

Hiver adheres to the best practices in security. The measures are outlined below.

Security Policy

Hiver has an internal security policy to enforce the security practices within the team and the processes within the company. We use two factor authentication (2FA) and strong password policies on all the cloud services (AWS, Github, G Suite etc) that we use internally. We strictly control the access to customer data. Only Hiver employees who require customer data access as a necessary part of their job function are permitted to access the customer data.

Security Audits

Hiver annually engages in 3rd party security audits and we constantly scan out systems for security vulnerabilities. All access to the production servers are logged and the access is restricted to Hiver’s infrastructure team only.

Incident response policy

We have a strict policy in place about how to handle security related events, and how our team responds to them. We have monitoring tools in place which generate alerts when security events are detected and the concerned teams are notified immediately.

Vulnerability Disclosure Program

Hiver has a Vulnerability disclosure program where we encourage security researchers to report the security vulnerabilities. As a protocol,fixing reported bugs takes precedence over other tasks.

Infrastructure and Physical security

All our services and data is hosted in the USA. Hiver is hosted on Amazon web services (AWS) which are highly scalable, secure, and absolutely reliable AWS complies with leading security policy and frameworks including SAS70 level II, SSAE 16, SOC framework and ISO 27001.

Apart from the above, AWS provides other physical security measures such as:

24x7 Security

The AWS data centers, where Hiver is hosted, are guarded by security guards 24/7. The data centers uses state of the art electronic surveillance to monitor any suspicious activity.

Multi Factor Authentication (MFA)

AWS provides built in support for MFA to access Hiver servers. This would require a user to type in their login and password and a dynamic PIN to access the servers. This protects the servers from unauthorized usage.

Security Logs

Hiver uses the AWS CloudTrail service which provides logs of all user activity at Hiver servers.

Network Security

We implement the best practices in securing and maintaining our infrastructure. Our infrastructure is isolated from the public internet, within separate VPCs in AWS

Network Firewalls

We adhere to best practices in securing our infrastructure with network firewalls. Each of our servers uses firewalls to restrict access from external systems and between systems internally. Access is restricted to only the ports and protocols which are required by Hiver services and everything else is blocked.

TLS Encryption

The entire data transmission to or from Hiver happens over 128-bit SSL encrypted connection. Our application endpoints are TLS/SSL only and score a rating of “A+” rating on SSL Labs tests. We have taken every possible measure to keep our encryption standards meet the best practices.

Distributed Denial of service (DDOS) prevention

Hiver implements the best practices for preventing DDoS attacks. Our data centers are hosted at AWS. AWS uses a lot of Denial-of-service mitigation techniques to guard against the risk of attacks. Hiver uses the AWS Shield service too which is a managed DDoS protection service that safeguards applications running on AWS.

Storage and Backup

Hiver uses Amazon RDS as its persistent data store. Application logs, access logs and other monitoring related data are stored within AWS infrastructure on EBS disks or S3.

All application generated data is backed up automatically every few hours. Hiver keeps a copy of last database backup in encrypted state at Google’s Compute storage too. This will ensure that we will be able to restore the application within just a few hours even if there a complete AWS outage.

G Suite data access and Authentication

Google Single Sign-On (SSO)

Hiver uses Google Single Sign-on (SSO) to login users to the Hiver app. Hiver uses the OAuth protocol to authenticate users via G Suite. The OAuth tokens to access the users’ Gmail accounts are encrypted before getting stored. Hiver does not store any user specific passwords or any other kind of authentication detail.

G Suite Data Access

Hiver requests for authorization of G Suite email data access once you've installed the app. Hiver requires access to the following G Suite data:

  • Gmail API access for all Gmail accounts using Hiver (authenticates via OAuth). These are the permissions that Hiver requires. Read more on why Hiver needs these permissions.
  • If Hiver is installed from the G Suite marketplace, it requires access to the list of all Users and the list of all Groups in the organization.

Apart from the above mentioned items, Hiver does not require access to other areas of users’ G Suite data.

Revoking access

Users/organizations have the authority to revoke Hiver access to their G Suite account anytime through their G Suite admin panel if Hiver was installed domain-wide from the G Suite marketplace.

If Hiver was not installed domain-wide from G Suite marketplace, users can individually revoke the access from their Google account settings.

Payment Processing

All payments are processed using Stripe. Hiver does not store customers' credit card details.

GDPR readiness

The EU General Data Protection Regulation (GDPR) sets a new standard for how companies use and protect EU citizens’ data. It has taken effect from May 2018.
Hiver has worked diligently to prepare for GDPR, to ensure that we fulfill its obligations. We've now completed our GDPR readiness program and will be publishing more information about our compliance soon.