Last updated: March 2021
hubs101 Security Standards
Security, Reliability, Recovery & Privacy
1. Physical Server Security
Amazon manages servers via hubs101 Amazon Web Services (AWS). AWS data centres are located in covert buildings. Particularly critical facilities are secured by military-style berms with perimeter surveillance, as well as other natural boundary protections. Physical access is closely monitored at both the perimeter and building entry points by professional security personnel using video surveillance, state-of-the-art intrusion detection systems and other electronic means. Authorised staff must go through two-factor authentication no less than three times to access data centre floors. All visitors and contractors must prove their identity and are signed in and continuously escorted by authorised personnel.
Amazon only grants access from the data centre and information to employees who have legitimate operational reasons for such privileges. If an employee no longer needs these privileges, their access will be revoked immediately, even if they remain an Amazon Web Services employee. All physical and electronic access to data centres by Amazon employees is routinely logged and monitored.
More details can be found here: https://aws.amazon.com/security/
As part of our internal policies, only technicians who have passed our hiring reviews (see Internal Policies section) and probationary period are granted access to the Amazon Web Services portal, two-factor authentication is required, and by default, technicians are granted access with the least privilege.
Amazon Web Services Data Processing Addendum
hubs101 has signed a copy of the Amazon Web Services Data Processing Addendum with standard clauses. A copy of this document is available upon request
For more information visit : https://aws.amazon.com/compliance/eu-daa-protection/
2. Physical security of hubs101’s office premises and contents.
Employees of hubs101 agree to security and privacy policies to manage and store confidential data on their laptops, phones and other electronic devices. Equipment is checked regularly to ensure that certain policies are in place. An employee key is required at all times to gain access to the office building. Our internal Wi-Fi networks are secured WPA2-PSK passcode. We use the power of Cisco’s Meraki MDM system on all our devices to create a hardware policy and inventory all our IT assets. We regularly check equipment compliance and fix problems personally and immediately, including updating operating system patches and anti-virus software. The hard drives of all hubs101 staff computers are encrypted using AES XTS mode with 128-bit blocks and a 256-bit key. Computers must enter sleep mode within a short period of inactivity and require password entry upon reawakening.
It is forbidden to remove USB sticks from the office. All data storage devices (NAS) are physically secured from removal.
Third party applications used by hubs101 staff are only accessible via the OneLogin one-sign-on login service. This ensures that we have appropriate access control for data in these applications. To access One-Login, staff must have a sufficiently strong password that is changed every six months and uses two-factor authentication.
3. Password protected login
All passwords for user and administrator accounts are created using the one-way hash algorithm bcrypt with Salt. Passwords are required for all event app users.
All communications between your devices and hubs101’s platform and ADIs are fully protected by Secure Secket Layer encryption (SSL) to protect your data from man-in-the-middle attacks and eavesdropping. SSL certificates are provided by Let’s Encrypt.
hubs101 uses built-in encryption in Amazon Web Services’ RDS service, which enables encryption of data in the database (and all backups) using industry-standard AES-256 encryption. Keys are generated and protected by a hardware security module provided by AWS.
4. Vulnerability testing and penetration testing
To protect our internal systems, hubs101 routinely scans our servers for known vulnerabilities.
At least once a year, and additionally after major changes to the code base, hubs101 reserves the right to hire a third-party firm to perform a vulnerability assessment on our products.
Customers conducting their own penetration test must complete and return a copy of the Penetration Test Request Form.
5. Reliability & Recovery
Redundant servers and data centres
hubs101’s architecture is designed to be redundant and fault tolerant. We are committed to providing and maintaining a highly available system. However, it is almost impossible to account for all possible failure modes and interruptions. Therefore, we have safeguards in place to deal with these eventualities.
Hubs101 uses Amazon AWS services as its primary hosting platform. For information on our infrastructure-level protections and details of the security, availability and recovery precautions taken by AWS, please visit https://aws.amazon.com/security/. We use EC2 server instances (see https://aws.amazon.com/ec2-sla/ for EC2 SLA) host our database for RDS services, replicated for failover protection and S3 buckets for eleven nines 99.99999999) %) of data durability.
The data in your hubs101 account is replicated across multiple database servers to prevent a single database failure from causing data loss.
In addition, this data is backed up every 20 minutes and stored securely using Amazon’s geographically distributed and fault-tolerant S3 services. This ensures that in the event of a catastrophic failure, your data is safe within the data centre and your records can be restored within a short period of time.
We keep backups in an encrypted state for a minimum of 7 days. And restore the new backup on a more daily basis to ensure it will work if needed in an incident scenario.
Security of user uploaded data
All user uploaded data (including images, documents and videos) is uploaded to the Amazon S3 platform (see http://aws.amazon.com/s3-sla/ for S3 SLA), which has a 99.9999999999 (99.9999999%) data durability and 99.99% availability and is automatically replicated across multiple data centres.
hubs101 has invested in and expanded cloud computing and deployment automation tools to streamline our daily operations. This automation is critical to our disaster recovery plan as each deployment we perform is the same process required to recover services from a service disruption where backup recovery is required. Our deployments take place daily and our automated tools are regularly checked to ensure they are working properly. Our architecture allows us to create a disaster recovery plan that can sustain failures in data centres in Amazon Web Services’ Virginia region. We have servers running across at least three of these data centres and can use our existing deployment automation on all five servers.
Failure monitoring and performance notifications
Our recovery plan is based on enterprise-level notification and monitoring systems. We use Pagerduty, a geographically distributed monitoring service, to perform uptime and performance checks on our systems at 60-second intervals. Should an alert occur, our development team is notified via push notifications, email or phone call and follows a clearly defined protocol to address the event.
Communication and customer service are always at the forefront at hubs101. Should a service interruption occur, our support team will proactively contact affected parties via email or phone and keep them informed of the situation. Open communication and insight into the issues are key to maintaining our customers’ trust.
Process after a service disruption
Within 24 hours of any service interruption, our support team will explain the cause of the problem and how we fixed it and how we will prevent this from happening in the future.
We encourage our clients to enter into our standard Agreement for Data Processing (ADV). This sets out the roles and responsibilities of both hubs101 (as data processor) and the event planner (as data controller) in relation to the collection, storage and use of personal data during their use of the hubs101 platform.
We have had our own privacy and data processing policies reviewed and have documented the processes for how we respond to requests for access to personal data, including providing data (under the right of access) and destroying or anonymising data (under the right to be forgotten) when a data controller (the organisation planning the event) instructs us to do so.
hubs101’s systems are robust and tailored to the needs of our clients. We have an automated scaling feature that deploys additional servers to handle excessive loads. However, this requires certain load thresholds to be met and ~10-15 minutes for new servers to be provisioned and configured for use. Performance issues are possible. Although this is rare, we keep a pre-installed server in hot standby mode. To avoid these problems, simply let us know your extensive usage plans. On the day of your event, we will provide additional servers to prepare for large scale usage.
hubs101’s policies are based on theCloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ).
LOGO: CSA cloud security alliance
For more information, please visit: https://cloudsecurityalliance.org/group/consensus-assessments/. All hubs101 employees and contractors sign confidentiality agreements regarding custom data they interact with. In addition, hubs101 conducts background checks on all new employees. We regularly create and distribute training materials on security best practices and the proper handling of confidential client data.
Product development at hubs101 follows the OWASP Secure Software Development Life Cycle to ensure security experts are involved as early as possible in the creation of a new feature and to help our developers ensure our products are secure.
Reporting & Audi Trails
hubs101 collects comprehensive audit trails for all activity on hubs101 systems. Logs created by Amazon Web Services are stored centrally in Amazon Web Services CloudTrail and CloudWatch. Logs from hubs101 systems are stored centrally in Splunk and retained for 90 days. Administrators can track account actions, usernames, email addresses, IP addresses, and date and time for all actions.
hubs101 is committed to integrating security best practices into every aspect of development.
We do not currently participate in a bug bounty program, but we take privacy and vulnerability very seriously.
If any member of your organisation identifies any security issues, please contact firstname.lastname@example.org.