Security Policy

Our security policy was last updated on December 18, 2024.

This security policy outlines the information security framework for Hubtype and its commitment to protect the confidentiality, integrity, and availability of its information assets. The policy applies to all employees, contractors, and third-party vendors who handle or have access to Hubtype's information assets.

Hubtype's security committee is responsible for defining goals and objectives focused on performance evaluation regarding information security and compliance with current legislation regarding information systems, as well as for continuously improving our activities, which are regulated by the management system that develops this policy. Management is responsible for providing the necessary resources and support to implement and maintain the security policy.

Information security policy framework

Hubtype has established a comprehensive information security policy framework that includes regular risk assessments, implementation of appropriate security controls, incident management, and compliance with relevant regulations and standards.

Asset management

Hubtype has a formal process for identifying, classifying, and protecting its information assets. This process includes regular review and updates to ensure the ongoing protection of critical information assets.

Human resource security

Hubtype performs security awareness and training programs for all employees and contractors to ensure that they understand their roles and responsibilities in maintaining the confidentiality, integrity, and availability of information assets.

Communications

Employees, contractors and vendors of Hubtype must follow the secure communication process to ensure that information is transmitted securely.

Access control

Hubtype has implemented access control processes following the Least Access Privilege approach to ensure minimum permissions and only authorized individuals have access to its information assets. This includes user registration, authentication, and authorization processes.

Infrastructure security

All components are defined using Infrastructure as Code (IaC) and the source code must be reviewed taking into consideration the confidentiality, integrity and availability of the data before adding the code in production. Hubtype has monitoring of the critical components and alarm systems to make sure an on-call person is notified if any irregularity happens.

Application security

All the source code must be reviewed taking into consideration the confidentiality, integrity and availability of the data. It also must follow the coding standards established in Hubtype and pass all the tests. Moreover, we have static analysis set in place and image scanning to detect any vulnerability.

Customer data security

Hubtype uses TLSv1.2 to ensure data security in transit and SHA-256 encryption for data at rest. We also have resilience by maintaining a second replica of our databases ready for use and employing multi-AZs in our critical components. All our critical providers processing or storing PII or data considered sensitive are GDPR compliant.

Roles and Responsibilities for Information Encryption

To ensure accountability and proper implementation of encryption practices, the following roles and responsibilities are defined:

  • Data Protection Responsible (DPR):
    • Ensures that all data protection and security practices align with data privacy regulations and policies.
    • Acts as a liaison between the company and regulatory bodies regarding encryption compliance.
  • Technical Security Manager:
    • Oversees the implementation and management of encryption policies.
    • Ensures compliance with regulatory standards (e.g., GDPR) regarding data encryption.
    • Periodically reviews and updates encryption protocols to address emerging threats.
    • Acts as the owner of encryption keys, responsible for securely storing them and granting access to other team members when needed.
  • Engineering Teams:
    • Implement and maintain encryption technologies (e.g., TLSv1.2 for data in transit, SHA-256 for data at rest).
    • Conduct regular testing to ensure encryption methods are operational and effective.
    • Collaborate with the Technical Security Manager to address identified vulnerabilities in encryption mechanisms.
  • IT Operations Team:
    • Manages and monitors the resilience features, including database replicas and multi-AZ configurations.
    • Ensures that encryption keys are securely stored and rotated as per policy requirements.
  • All Employees:
    • Adhere to organizational policies regarding data handling and encryption.
    • Report any suspected security breaches or vulnerabilities immediately to the IT Security Team.

Regular training and audits are conducted to ensure all roles are equipped to handle their responsibilities effectively and to maintain the highest standards of data security.

Incident management

Hubtype has established an incident management process to respond to and report security incidents, including data breaches, network intrusions, and system failures.

Business continuity management

Hubtype has a business continuity plan in place to ensure the continuity of business operations in the event of a security breach or disruption.

Compliance

Hubtype is committed to complying with relevant legal and regulatory requirements, as well as industry standards and best practices, including ISO 27001.

Review and revision

Hubtype regularly reviews and revises its security policy to ensure its effectiveness and alignment with organizational needs. This review is conducted at least annually or as necessary based on changes in the information security environment.