SECURITY

Our security commitment

Friendly professionals working at desk over paper
LATEST UPDATE
January 12, 2023

Our Security Policies

Ensuring HiThrive customer data is secure and protected is our top priority, which is why we've taken extensive measures to maintain industry best practices in information security and data privacy.

Security icon

Application Authorization

When you install HiThrive using a third-party (Slack, Microsoft Teams, etc), we only request the minimal permissions required for HiThrive to function properly. We don't have access to your conversations, private or public messages or files. The data we sync from third-parties is limited to:

  • Names profile pictures, email addresses and timezones of your team.
  • The name and icon of your workplace/team.
  • Messages where HiThrive has been explicitly invoked (example "/shoutout")
  • Reactions only on messages created by HiThrive (public shout-outs or awards).

Infrastructure

HiThrive uses Heroku for both staging and production environments. Our databases are only accessible by the services that require access and by users with revocable credentials. Credentials are rotated regularly and stored outside of our code.

Authentication

HiThrive leverages SSO web application login. Our website and servers use HTTPS over SSL (TLS 1.3) to protect your data. HiThrive is being used by Fortune 500, FinTech, and cloud-security companies, among others.

Availability

Our services are distributed across multiple physical data centers in the United States, enabling us to provide redundancy and failover protection.

Data Centers

Our application is hosted on Heroku, which is hosted and managed within Amazon Web Services data centers. These data centers are accredited:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Internal Tools

HiThrive employees are required to follow stringent security practices such as:

  • Locking computers while away to prevent unauthorized access.
  • Accessing sensitive tools using secure single sign-on.
  • Using VPNs when on public networks.

Vulnerabilities

We regularly audit our codebase, third-party libraries and frameworks to ensure they're up-to-date and patched whenever a vulnerability is detected.

Encryption

Data is encrypted at-rest and in-transit. Only HiThrive employees and services with proper credentials have access to data. Our web-based apps, APIs and services are only accessible over TLS, ensuring connections internally and externally are encrypted.

PCI Compliance

All payments and stored payment methods are processed by Stripe, our payment processing partner. HiThrive does not have access to credit or debit card details once saved, other than Name, Billing Postal Code, Brand and Last 4.

Privacy

Here is our Privacy Policy

If you have any questions or concerns about security, please email security@hithrive.com