We get asked lots of weird and wonderful questions – ‘will it work in space?’, ‘why did you call it Hassl?’ (the answer to the last question is simple – we’ve removed the es from everyday hassles). A more frequent question and one which we take very seriously is how we’ve set-up Hassl’s security, and how data is stored.
For your safety and comfort, our Technical Director has spent close to a decade building robust cloud-based platforms – apps for governments, custom internal portals for tech giants. You name it, we’ve housed it securely and safely. On top of that we have a cybersecurity expert undertaking regular penetration tests on all current, and soon to be released features.
We’ve always been aware that building a virtual workplace would entail a solid security, data and privacy plan. After we design a feature – we plan how to safely secure, host and store it. We’ll always be completely transparent with our user base on where your data lives and how we handle our security measures.
Where is my data processed and stored?
All Hassl production services are run on infrastructure managed by AWS (Amazon Web Services). Computing’s done on their EC2 platform, and all your files are stored within S3. The servers themselves are located in their highly secure Asia-Pacific data centres. From Amazon’s documentation:
AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
We chose Amazon because, just like Netflix, we trust them with our code and your data. Here’s some handy links to their security measures and processes;
What’s your production environment? Do you play around with our data?
No, just our own. We maintain completely separate and distinct production, staging, and development environments. Production data is not replicated outside of the production restricted environments.
All customer data is considered highly sensitive and protected. No one other than our development staff can access your data, and this is exclusively done upon request (i.e, if there’s an issue in your account you’d like us to check up on). Needless to say, all staff involved have had pertinent security checks and are full-time, on-site, fully-vetted employees.
Are your online payments secure?
We’re glad you asked. We are PCI compliant – this means we host any online transactions (in-browser and in our apps) with a secure and compliant third-party. We use Stripe, who are a PCI Level 1 Service Provider (hint: that’s the best level).
How safe are my username, passwords and other data?
All data in transit is encrypted, and all passwords are hashed with the insanely secure Blowfish algorithm. Access rights and account privileges are controlled with JWT tokens – a handy little encrypted ‘key’ which allows you to communicate with our servers without having to expose your security details every time.
What if there’s a disaster and your office burns down?
Hats off to the cloud for this one. Amazon boasts an unbelievable 99.999999999% durability for all files on its S3 services. Nothing you upload there is going to disappear anytime soon. On our EC2 instances, our production databases are backed up daily. We have well-tested backup and restoration procedures, and can recover from a major disaster within a couple of hours (provided our developers are okay!).
How do you prevent bad guys from getting access to your systems?
Administrator access to our AWS account rests solely in the hands of our technical director. For the real important stuff, he’s the only one able to get in there. On top of this, for all server access to our production environments we’ve implemented two-factor authentication, meaning a password or private key alone ain’t gonna cut it.
Are you GDPR compliant?
We are indeed! You can contact our privacy officer at firstname.lastname@example.org, and of course if for any reason you’d like 100% of your data completely removed from our systems, we guarantee this can be done within 48 hours of reaching out (excluding Australian public holidays).
We do hope this answers any questions you have. For any further questions or suggestions, please send our Technical Director Mitch a direct email at email@example.com.