Over 1500+ businesses worldwide use Hiver and they count on us to keep their data safe and secure. Hiver takes data security and privacy very seriously. We’ve especially developed processes, technologies and policies to ensure that we deliver on our data security promise.
This document outlines some of the mechanisms and processes that we’ve implemented to keep your data safe and secure.
We believe that security policies should be absolutely transparent to the customers and the measures are outlined below.
The Hiver privacy policy is accessible at https://hiverhq.com/privacy and is strictly adhered to by all Hiver processes and our employees.
Hiver does not store any email data on its servers apart from the email identifiers (Message-ID) and the email subject which helps Hiver to identify emails uniquely across your team. Neither the email headers (TO, FROM, CC), nor the email body (including the attachments) are stored with Hiver.
Hiver stores raw email data temporarily in an encrypted state while it syncs emails across Gmail accounts. This duration will never exceed 10 minutes for 99% of the emails. When the emails have been successfully synced across Gmail accounts, the data is deleted permanently.
Hiver collects the user activity data on Hiver and sends it to these 3rd party analytics services:
The data passed to the above mentioned services are only related to the user activity on Hiver app. The purpose of collecting this data is to understand product usage and apply the same to improve the app. No part of the users' personal data (including email data, Hiver feature specific data or any other personal information) is ever passed to any 3rd party services.
Users can opt of the user activity tracking by dropping us an email at support@hiverhq.com mentioning the same.
Hiver adheres to the best practices in security. The measures are outlined below.
Hiver has an internal security policy to enforce the security practices within the team and the processes within the company. We use two factor authentication (2FA) and strong password policies on all the cloud services (AWS, Github, G Suite etc) that we use internally. We strictly control the access to customer data. Only Hiver employees who require customer data access as a necessary part of their job function are permitted to access the customer data.
Hiver annually engages in 3rd party security audits and we constantly scan out systems for security vulnerabilities. All access to the production servers are logged and the access is restricted to Hiver’s infrastructure team only.
We have a strict policy in place about how to handle security related events, and how our team responds to them. We have monitoring tools in place which generate alerts when security events are detected and the concerned teams are notified immediately.
Hiver has a Vulnerability disclosure program where we encourage security researchers to report the security vulnerabilities. As a protocol,fixing reported bugs takes precedence over other tasks.
All our services and data is hosted in the USA. Hiver is hosted on Amazon web services (AWS) which are highly scalable, secure, and absolutely reliable AWS complies with leading security policy and frameworks including SAS70 level II, SSAE 16, SOC framework and ISO 27001.
Apart from the above, AWS provides other physical security measures such as:
The AWS data centers, where Hiver is hosted, are guarded by security guards 24/7. The data centers uses state of the art electronic surveillance to monitor any suspicious activity.
AWS provides built in support for MFA to access Hiver servers. This would require a user to type in their login and password and a dynamic PIN to access the servers. This protects the servers from unauthorized usage.
Hiver uses the AWS CloudTrail service which provides logs of all user activity at Hiver servers.
We implement the best practices in securing and maintaining our infrastructure. Our infrastructure is isolated from the public internet, within separate VPCs in AWS
We adhere to best practices in securing our infrastructure with network firewalls. Each of our servers uses firewalls to restrict access from external systems and between systems internally. Access is restricted to only the ports and protocols which are required by Hiver services and everything else is blocked.
The entire data transmission to or from Hiver happens over 128-bit SSL encrypted connection. Our application endpoints are TLS/SSL only and score a rating of “A+” rating on SSL Labs tests. We have taken every possible measure to keep our encryption standards meet the best practices.
Hiver implements the best practices for preventing DDoS attacks. Our data centers are hosted at AWS. AWS uses a lot of Denial-of-service mitigation techniques to guard against the risk of attacks. Hiver uses the AWS Shield service too which is a managed DDoS protection service that safeguards applications running on AWS.
Hiver uses Amazon RDS as its persistent data store. Application logs, access logs and other monitoring related data are stored within AWS infrastructure on EBS disks or S3.
All application generated data is backed up automatically every few hours. Hiver keeps a copy of last database backup in encrypted state at Google’s Compute storage too. This will ensure that we will be able to restore the application within just a few hours even if there a complete AWS outage.
Hiver uses Google Single Sign-on (SSO) to login users to the Hiver app. Hiver uses the OAuth protocol to authenticate users via G Suite. The OAuth tokens to access the users’ Gmail accounts are encrypted before getting stored. Hiver does not store any user specific passwords or any other kind of authentication detail.
Hiver requests for authorization of G Suite email data access once you've installed the app. Hiver requires access to the following G Suite data:
Apart from the above mentioned items, Hiver does not require access to other areas of users’ G Suite data.
Users/organizations have the authority to revoke Hiver access to their G Suite account anytime through their G Suite admin panel if Hiver was installed domain-wide from the G Suite marketplace.
If Hiver was not installed domain-wide from G Suite marketplace, users can individually revoke the access from their Google account settings.
All payments are processed using Stripe. Hiver does not store customers' credit card details.
We are working on implementing the General data protection program (GDPR) across our organization. We'll be ready to share more detailed information on this soon and commit to being GDPR ready by the 25 May 2018.