Security

Over 1500+ businesses worldwide use Hiver and they count on us to keep their data safe and secure. Hiver takes data security and privacy very seriously. We’ve especially developed processes, technologies and policies to ensure that we deliver on our data security promise.

This document outlines some of the mechanisms and processes that we’ve implemented to keep your data safe and secure.

Transparency & Data Privacy

We believe that security policies should be absolutely transparent to the customers and the measures are outlined below.

Privacy Policy

The Hiver privacy policy is accessible at https://hiverhq.com/privacy and is strictly adhered to by all Hiver processes and our employees.

User Email data stored with Hiver

Hiver does not store your emails on its servers. Everything stays in your Gmail accounts. We store some of the email metadata information to enable our core functionality. These include: (i) email identifiers (Message-ID) (ii) email subject and (iii) the sender’s email ID. This information helps Hiver identify emails uniquely across your team. Apart from the above mentioned, no other email data gets stored with Hiver.

Hiver stores raw email data temporarily in an encrypted state while it syncs emails across Gmail accounts. This duration will never exceed 10 minutes for 99% of the emails. When the emails have been successfully synced across Gmail accounts, the data is deleted permanently.

User data being passed to 3rd party services

Hiver engages different types of sub-processors to perform various functions including (but not limited to) storage, usage analytics, etc. The complete list of sub-processors and the purpose of processing can be found at https://hiverhq.com/third-party-subprocessors

Security Practices

Hiver adheres to the best practices in security. The measures are outlined below.

Security Policy

Hiver has an internal security policy to enforce the security practices within the team and the processes within the company. We use two factor authentication (2FA) and strong password policies on all the cloud services (AWS, Github, G Suite etc) that we use internally. We strictly control the access to customer data. Only Hiver employees who require customer data access as a necessary part of their job function are permitted to access the customer data.

Security Audits

Hiver annually engages in 3rd party security audits and we constantly scan out systems for security vulnerabilities. All access to the production servers are logged and the access is restricted to Hiver’s infrastructure team only.

Incident response policy

We have a strict policy in place about how to handle security related events, and how our team responds to them. We have monitoring tools in place which generate alerts when security events are detected and the concerned teams are notified immediately.

Vulnerability Disclosure Program

Hiver has a Vulnerability disclosure program where we encourage security researchers to report the security vulnerabilities. As a protocol,fixing reported bugs takes precedence over other tasks.

Infrastructure and Physical security

All our services and data is hosted in the USA. Hiver is hosted on Amazon web services (AWS) which are highly scalable, secure, and absolutely reliable AWS complies with leading security policy and frameworks including SAS70 level II, SSAE 16, SOC framework and ISO 27001.

To know more about how AWS manages security in its data centers, please visit https://aws.amazon.com/data-center/controls

Network Security

We implement the best practices in securing and maintaining our infrastructure. Our infrastructure is isolated from the public internet, within separate VPCs in AWS

Network Firewalls

We adhere to best practices in securing our infrastructure with network firewalls. Each of our servers uses firewalls to restrict access from external systems and between systems internally. Access is restricted to only the ports and protocols which are required by Hiver services and everything else is blocked.

TLS Encryption

The entire data transmission to or from Hiver happens over 128-bit SSL encrypted connection. Our application endpoints are TLS/SSL only and score a rating of “A+” rating on SSL Labs tests. We have taken every possible measure to keep our encryption standards meet the best practices.

Distributed Denial of service (DDOS) prevention

Hiver implements the best practices for preventing DDoS attacks. Our data centers are hosted at AWS. AWS uses a lot of Denial-of-service mitigation techniques to guard against the risk of attacks. Hiver uses the AWS Shield service too which is a managed DDoS protection service that safeguards applications running on AWS.

Storage and Backup

Hiver uses Amazon RDS as its persistent data store. Application logs, access logs and other monitoring related data are stored within AWS infrastructure on EBS disks or S3.

All application generated data is backed up automatically every few hours. Hiver keeps a copy of last database backup in encrypted state at Google’s Compute storage too. This will ensure that we will be able to restore the application within just a few hours even if there a complete AWS outage.

G Suite data access and Authentication

Google Single Sign-On (SSO)

Hiver uses Google Single Sign-on (SSO) to login users to the Hiver app. Hiver uses the OAuth protocol to authenticate users via G Suite. The OAuth tokens to access the users’ Gmail accounts are encrypted before getting stored. Hiver does not store any user specific passwords or any other kind of authentication detail.

G Suite Data Access

Hiver requests for authorization of G Suite email data access once you've installed the app. Hiver requires access to the following G Suite data:

  • Gmail API access for all Gmail accounts using Hiver (authenticates via OAuth). These are the permissions that Hiver requires. Read more on why Hiver needs these permissions.
  • If Hiver is installed from the G Suite marketplace, it requires access to the list of all Users and the list of all Groups in the organization.

Apart from the above mentioned items, Hiver does not require access to other areas of users’ G Suite data.

Revoking access

Users/organizations have the authority to revoke Hiver access to their G Suite account anytime through their G Suite admin panel if Hiver was installed domain-wide from the G Suite marketplace.

If Hiver was not installed domain-wide from G Suite marketplace, users can individually revoke the access from their Google account settings.

Payment Processing

All payments are processed using Stripe. Hiver does not store customers' credit card details.

Compliances

ISO27001

A part of the ISO 27000 family of standards, ISO 27001 is an information security standard, the last version of which was published in 2013.

ISO 27001 specifies a management system intended to bring information security under management control and lays down specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following the successful completion of an audit.

You can view our ISO27001 certification here.

SOC2 Type II

SOC compliance is a component of the American Institute of CPAs’ (AICPA) Service Organization Control reporting platform, intended to assure the security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 audits are both technical and pragmatic, as they require that a company document and follow comprehensive information security policies and procedures.

The complete SOC 2 Type II report will be available upon a request sent to security@hiverhq.com under a non-disclosure commitment.

GDPR

The EU General Data Protection Regulation (GDPR) sets a new standard for how companies use and protect EU citizens’ data. It has taken effect from May 2018.
Hiver has worked diligently to prepare for GDPR, to ensure that we fulfill its obligations. We've now completed our GDPR readiness program and will be publishing more information about our compliance soon.

CCPA

The California Consumer Privacy Act (CCPA) establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information. Subject to certain limitations, the CCPA provides California residents the right to request to know more about the categories and specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt-out of any promotional activities that may be occurring and to not be discriminated against for exercising these rights.

Hiver does not sell (as the term is defined in the CCPA) the personal information we collect.