Last updated: December 12, 2020
Ensuring our customer data is secure and protected is a top priority at HiThrive, which is why we've taken extensive measures to bolster our security for our platform and tools the team at HiThrive use. HiThrive is hosted on Heroku and benefits from their world-class security. Our team takes additional proactive measures to ensure a secure infrastructure environment.
When you install HiThrive using a third-party (Slack, Microsoft Teams, etc), we only request the minimal permissions required for HiThrive to function properly. We don't have access to your conversations, private or public messages or files. The data we sync from third-parties is limited to:
- Names, profile pictures, email addresses and timezones of your team.
- The name and icon of your workplace/team.
- Messages where HiThrive has been invited (example "/shoutout")
- Reactions only on messages created by the HiThrive account (public shout-outs or awards).
HiThrive is hosted entirely on Heroku. Our databases are only accessible by the services that require access and by users with revocable credentials. Credentials are rotated regularly and stored outside of our code.
HiThrive leverages Slack’s OAuth for signing into our website, making HiThrive as secure as Slack. Our website and servers use HTTPS over SSL (TLS 1.3) to protect your data. HiThrive is being used by Fortune 500, FinTech, and cloud-security companies, among others.
Our services are distributed across multiple physical data centers in the United States, enabling us to provide redundancy and failover protection.
Our application is hosted on Heroku, which is hosted and managed within Amazon Web Services data centers. These data centers are accredited:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
HiThrive employees are required to follow stringent security practices such as:
- Locking computers while away to prevent unauthorized access.
- Accessing sensitive tools using secure single sign-on.
- Using VPNs when on public networks.
We regularly audit our codebase, third-party libraries and frameworks to ensure they're up-to-date and patched whenever a vulnerability is detected.
Our data is encrypted at-rest and in-transit. Only HiThrive employees and services with proper credentials have access to data. Our web-based apps, APIs and services are only accessible over TLS, ensuring connections internally and externally are encrypted.
All payments and stored payment methods are processed by Stripe, our payment processing partner. HiThrive does not have access to credit or debit card details once saved, other than Name, Billing Postal Code, Brand and Last 4.
If you have any questions or concerns about security, please email firstname.lastname@example.org.