Version 1.0 This policy was last updated in August 2020. While we will never deviate from our commitment to maintain security of our service, we may update this policy from time to time.
WHO WE ARE
HubPro Limited ("HubPro", "we", "us", "our") owns the HubProActive (“HPA”) business management system Software as a Service (“SaaS”), suitable for all organisations but in particular SMEs who require a strong foundation on which to grow their business.
We are committed to ensuring HPA customers data is protected to the highest level.
Our full Security Policy is available to customers on request and explains in detail the security controls we have implemented to protect the HPA architecture and our customer data.
HPA is hosted in UK data centres. Our Data Centres are ISO 27001:2013 certified, secure by design. For more information on the Security by Design, Disaster Recovery, Physical access, Monitoring and Logging, Surveillance and detection, GRC and Infrastructure Maintenance, please contact our HPA Information Security Officer at firstname.lastname@example.org
Strong Encryption: Customer’s data entered in HPA is encrypted following best practice security protocols with SHA-2 and 2048 bit encryption.
SAN Chain Certificates: SSL SAN Chain Certificates with strong 2048-bit encryption are used for Production and Testing Domains.
Application Vulnerability Assessment and Infrastructure Vulnerability Assessment is managed through automated security assessments.
Distributed Denial of Service (DDoS): A managed Distributed Denial of Service (DDoS) protection service provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
User Passwords and Two-Factor Authentication: User passwords are protected by one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to
reverse engineer the stored value equivalent. Customers can enable Two Factor Authentication for user access across the organisation or for privileged users to make their accounts even more secure.
After a user has made 5 unsuccessful attempts to log in with the incorrect login details they will be locked out for 10 minutes.
Software version and packages Patching Cycle: We run a continual patching cycle to ensure operating systems, applications are kept up to date. This mitigates any exposure to vulnerabilities.
However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high security standards that we employ ourselves.
Our staff are vetted prior to employment through our recruitment process. Checks include Proof of Identity, Proof of Right to Work, Proof of Residency and where required criminal history checks.
We also maintain a suite of internal information security policies, procedures, and guidelines, including incident response plans, which all staff, contractors and third parties must follow. These are reviewed at least annually.
- Only employees with the necessary rights and roles have pre-authorised access to our servers and underlying data. Access is unique, logged and uses strong password policies coupled with two-factor authentication, where appropriate.
- Customer data is accessed by operational staff to provide necessary support and maintenance.
on an as-needed only basis, and only when approved by the customer (i.e. as part of a support or incident management).
- Regular audits are performed and the process is reviewed by management to ensure only the right people have access to the necessary data and systems on an ongoing basis.
- All employees must sign confidentiality agreements, attest to following HubPro policies and guidelines and complete our Information and Cyber Security Training program.
- Our developers are versed in the OWASP Top Ten critical web application security risks.
Automated, manual backup and restore procedures are in place for the various system components of HPA as well as the OS and Software Version level selective patch management process. For an exhaustive list of resiliency (among other controls) please contact our HPA Information Security Officer at email@example.com.