Cyber Security

hophs.com has put in place technical and organizational measures to ensure that we maintain IT security across operations at hophs.com. An overview of some of the technical and organizational measures hophs.com has implemented are listed below.

GDPR

As of May 25th, 2018, hophs.com is compliant with the EU’s General Data Protection Regulations (GDPR). hophs.com has undergone the appropriate measures to be compliant, and by definition, hophs.com is a Processor under GDPR. You can find more details in our privacy policy.

IT Security policies

hophs.com has established written IT Security Policies to give guidance on various areas of IT Security. Further technical and organizational measures are contained in these policies, and they are based on best practice and international standards, e.g., ISO27k1 and NIST. These policies are regularly reviewed and take into account, among other things, the state of the art and risks faced by hophs.com so as to provide adequate IT Security which protects against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed at hophs.com.

Vendor assessments

hophs.com ensures a high level of IT Security across its operations by choosing vendors which are ISO27K1 certified or SOC certified for critical vendors or vendors which can provide an otherwise equally high level of IT Security.

Encryption

hophs.com’s Cloud Computing storage is encrypted by default. The key management sovereignty is held within hophs.com and cannot be accessed by third parties.

hophs.com’s workstations and laptops are encrypted to protect from data theft. Encryption and decryption are centrally managed by the IT Support Team.

Penetration testing

hophs.com conducts penetration testing by third-party experts once a quarter throughout all customer-facing systems. Results and issues are logged, assessed, and are managed centrally by the Incident and Response Team.

Vulnerability disclosure program

hophs.com offers a bug bounty program to attract hackers to find IT Security bugs in hophs.com’s products with the goal to continually improve the level of IT Security of hophs.com products. If you would like to participate in this program, please send an email to security@hophs.com.com.

Firewalls

hophs.com makes use of network segmentation supported by state-of-the-art firewall technologies for on-premise systems as well as cloud systems.

DDoS attack prevention

hophs.com makes use of extensive services that prevent and mitigate DDoS attacks.

Pseudonymization or anonymization

Where possible, hophs.com has automated pseudonymization or alternatively anonymization processes in systems handling personal data.

Access control

hophs.com has processes and procedures for access control, including on- and offboarding of employees as well as granting, revoking, and reviewing user access rights. User access rights are centrally managed in the Active Directory. Every user retrieves a unique user account; shared user accounts are prohibited.

Physical access controls are realized via ID-badges. The details of visitors to hophs.com offices are recorded and visitors are provided with least-access ID-badges. Offices are supervised 24/7 by trained security personnel.

Need-to-know restrictions

hophs.com’s rights management system corresponds the Least-Privilege Access principle where users receive the least possible set of privileges on a computer system necessary to execute their responsibilities.

Segregation of duties

hophs.com’s software operation pipelines include the segregation of duties to effectively prevent software engineers from publishing and committing code changes without the review of colleagues.

To further improve code quality, hophs.com implemented two testing stages prior to production environment. hophs.com user personal data is only available on production level systems and restricted to non-human access.

Awareness and training

hophs.com continually trains its staff. Courses are updated regularly to cover individual learning objectives and hophs.com has compulsory baseline knowledge areas such as IT Security and Data Protection.

Confidentiality

All contracts with hophs.com employees and freelancers working for hophs.com include confidentiality provisions. hophs.com makes extensive use of non-disclosure agreements to ensure that confidentiality is maintained when working with third parties.

Incident response

hophs.com has an incident response team which consists of members from the following three organizational teams:

Legal Team and Data Protection Officer

IT Security Team

Incident Team

All incident reports, penetration test results, and bug bounty submissions are centrally assessed, documented, tracked, and monitored.

How to contact us

We take IT Security seriously. If you have any additional questions that aren’t answered above or by the hophs.com Help Center, please email security@hophs.com.com and we’ll reply as quickly as we can.