Security at H2Cyber
As a Cybersecurity company, we take Information Security very seriously! We have a Written Information Security (WISP) aligned to industry standards and continuously evaluate ways to improve our security posture. Our WISP as well as other policies and procedures are shared with all employees.
Our payment processor is Stripe, a certified Level 1 Service Provider. H2Cyber never has access to sensitive payment data.
We perform background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees. Employees are also required to acknowledge the security policy and sign a confidentiality agreement.
Security Expert Vetting
Our Cyber Experts are vetted to ensure they have adequate Cybersecurity certifications and/or a certain amount of time as a senior cybersecurity practitioner.
Identity and Access Management
All our employees have a unique login with access based on a least privilege model.
Our laptops, desktops, and servers are managed, have encrypted hard drives and are monitored with Endpoint Detection and Response (EDR) and Artificial Intelligence (AI) based antivirus where possible.
Our corporate office is secured by key fob access doors. Entrances and exits are observed and captured by cameras and are monitored and protected by an alarm system.
Our internal network has various defense in depth measure and practices the principle of zero trust via Secure Gateways.
All our employees receive security awareness training upon hire and continues throughout the year.
We have an in-depth Security Incident Response Plan (S-IRP) for handling security events which includes identification, containment, eradication, and recovery efforts.
Our development staff are trained in secure coding standards to ensure the code written conforms to industry standards such as OWASP and SIE CERT.
H2Cyber’s Application Security
H2Cyber’s Small Business Software as a Service (SaaS) platform is primarily hosted in Amazon Web Services (AWS) providing redundancy, scalability, and a host of other benefits.
Customer Data and Privacy
We store the following customer data within our cloud ecosystem
- Usernames and email addresses
- Payment history and invoices
- Phone number
- Billing address
- Company name and address
- Business website
- Business affiliations
- Control artifacts and answers
We use both encryption in transit and encryption at rest to protect PII and non-public data from unauthorized access.
All communications between users and H2Cyber’s SaaS services are encrypted in transit using Transport Layer Security (TLS).
All database and database backups are encrypted at rest.
Customers can request to have all their data deleted by sending an email to [email protected] as long as it is not subject to legal hold or investigation.
Once an account is deleted, all associated data is removed from the system and is irreversible.
Access to Data
Customer data is limited to only those who created the account, any identified affiliations and H2Cyber’s support team. Access is limited to authorized individuals who require it for their job. There is no corporate resources or additional privileges from being on our network. We run on a zero-trust corporate network.
3rd Party Sub-processors
We do use 3rd party service providers to help with analytics, payments, sending emails and for hosting our SaaS service. The data provided to these services is limited to only the information they need to perform their processing duties.
H2Cyber’s SaaS service is hosted in AWS in the USA and spread across multiple availability zone and is monitored to detect any downtime. AWS currently has an uptime of 99.9% and our SLAs are driven off its service commitments to its customers.
We enforce password complexity standards, leverage Multi-Factor Authentication where possible and employ a host of other best practices related to password management.
Penetration Testing and Security Scans
We conduct external penetration testing via Cobalt’s Pentest as as Service (PtaaS) at least annually and performs external vulnerability scanning on a more frequent basis via Tenable.io and SecurityMetric. It is against H2Cyber’s Terms of Service to probe, scan, or test the vulnerability of the Service or any Content, or any system or network connected to the Service without express written consent of H2Cyber.
We use Cloudflare which protects against Distributed Denial of Service (DDoS) attacks across websites, applications, and networks.
Web Application Firewall
We use Cloudflare’s web application firewall which keeps our applications and API’s secure and productive by detecting anomalies and malicious activity ensuring only legitimate activity is performed.
We use advanced firewall rules within MongoDB to only allow secure connections to known trusted activities within out application.
If you believe you have discovered a vulnerability within H2Cyber’s SaaS service, please submit a report to us by emailing [email protected]
If you believe your account has been compromised, please report it to [email protected]
Below are some best practices we wish to pass along for your consideration.
- Create a complex password for your account that is at least 12 in length. It should consist of upper case, lower case, numbers, and special characters.
- Utilize Multi-Factor Authentication where possible
- Never share sensitive information with third parties
- H2Cyber will never reach out to you for your password nor require you to make payments via gift cards.
- Microsoft or Apple will never reach out to you directly and need to gain access to your device. Never grant someone remote access into your machine without verifying who they are.
- Review your login activity on a frequent basis to ensure your account is not compromised.
If you have any additional questions regarding the security of H2Cyber’s SaaS service, please email us at [email protected].