Security and Trust
Hakkiri was built from the start to meet and exceed industry standards. We know that in the world of B2B SaaS solutions, trust is of the utmost importance. This is why we have implemented internal Security Controls to be in-line with ISO 27001 and SOC2. Additionally our policies, controls and functionality are fully compliant with the General Data Protection Regulation (GDPR).
Our Security roadmap includes external ISO 27001 and SOC2 Type II audits in 2020. Separately, we are always happy to work with prospective clients to walk through our controls in order to demonstrate we meet their own internal vendor standards. We also maintain a questionnaire in the format from the Vendor Security Alliance (VSA) for interested parties. Finally, we want to acknowledge and thank the folks at GitLab, Adobe, and StrongDM for their open-source materials that helped us establish our own Security Control Framework.
Security and Trust
Client data is handled at the highest level of our Data Classification Matrix. It is prohibited from being stored locally on any endpoints. MongoDB Atlas is currently Hakkiri's primary and only data store. MongoDB Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest. Atlas encrypts all snapshot volumes. Backups are made multiple times a day.
Data in flight is encrypted with TLS/SSL and may only be accessed through an authenticated and authorized connection. There is no public access of client data of any kind.
We know strong security requires a chain of trust through all vendors used by all services involved in a solution. All vendors used by Hakkiri undergo a security assessment to ensure they are meeting or exceeding the same standards we hold for ourselves. This goes for any internal systems, not just those that make up part of our platform products.
The main third-party providers of our application are world-class companies with enterprise trusted security. You can find their own security pages below:
Endpoint machines used by our employees and contractors are required to be encrypted and running an acceptable recent version of MacOS plus Anti-Virus software. Additionally, they must have their Firewall enabled and use a strong password protecting login/unlock. We monitor these devices through a device management platform. Customer data is never needed to be on a local endpoint and is prohibited.
Our cloud resources are protected with AWS Web Application Firewall (WAF), undergo regular security scans covering the OWASP Top 10 most common application vulnerabilities, and only are exposed to the public if absolutely necessary. Otherwise they are hosted in a private subnet, completely cut off from the public web.
Identity and Access Management
Access to our platform uses Auth0 for authentication where the passwords they store are always hashed and salted using bcrypt. Our application offers three different roles that may be assigned within an organization depending on the level of access needed.
For all internal applications, we follow the principle of least privilege. Access to any of our tools must be approved based on whether access is needed to do their work. Access to customer data is granted only for support reasons, with approval from leadership.
Hakkiri uses Zendesk for users to communicate with us for any ideas, bugs, or issues. Zendesk support is built within our application to make it as easy as possible to interface with us. Upon a ticket being created, a support engineer will review and take appropriate next steps. Support can also be reached at email@example.com.
People and Business Conduct
We hold all employees and contractors to high ethical standards. Each must undergo a background check, sign our code of conduct and acceptable use policies, as well as take required security training.
We also have a quarterly internal audit process to ensure we are following our established Security Controls and updating them as needed.
Security and Trust
How does Hakkiri integrate with Jira?
Customers may use cloud hosted versions of their tools (ex: Jira Cloud) or host them (ex: Jira Server) on internal servers. Hakkiri needs to be able to access those servers to be able to collect the data used to provide organizational transparency and analytics.
For cloud hosted tools Hakkiri leverages the secure API connections those products make available. Those connections can be securely setup by users with Administrative privileges to those tools. The API calls to Jira outside of the initial set-up are read-only and do not require admin level privileges during normal operation.
For internally hosted tools secure connections can be established by whitelisting Hakkiri IPs. The IP addresses that Hakkiri will use will be provided during account setup.
All traffic is HTTPS (port 443). You may specify a custom port (other than 443) in the URL when configuring the URL for the on-premise server in Hakkiri.
HTTPS webhook traffic from the internal system to Hakkiri (outbound from the on-premise network) will go to the same IP addresses. It is only necessary to whitelist these IP addresses for outbound connections if you normally block outbound connections which is less common.
Where is Data Stored?
Hakkiri is built on Amazon’s AWS. To find out more information about Amazon’s security and infrastructure, please visit their security statement: https://aws.amazon.com/security/. We currently store all persisted data in encrypted form in a MongoDB Atlas database that is hosted in Amazon's AWS. To find out more information about MongoDB's security and infrastructure please visit their security statement: https://www.mongodb.com/cloud/atlas/security. All backups of the MongoDB database are kept on AWS for a period of 90 days at which point they are deleted permanently. We do not keep local copies of production data.
How is Data Accessed?
Your data can only be accessed via an SSL connection using an authenticated session. We do not provide exports or any form of a download of your data. It is not possible to access your underlying data directly.
Who has Data Access?
Only authenticated users with the username and password you provide can access your data. There is no public access to your data of any kind.