We take security seriously. Learn about our comprehensive approach to protecting your data.
If you are dealing with any European Union data through a vendor (like Hook0), then you need a contractual agreement in place with each vendor so the EU knows you're only doing business with companies that fully comply with the General Data Protection Regulation (GDPR).
A data processing agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors. Learn more.
Under the GDPR, a sub-processor is any business or contractor customer data may pass through as a side effect of using Hook0's service. Learn more.
Hook0's payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. Hook0 does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.
If you would like to report a vulnerability or have any security concerns with a Hook0 product, please contact [email protected].
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
If you would like to encrypt sensitive information that you send us, our PGP key can be found on Keybase.
We also have an open bug bounty for critical vulnerabilities report regarding Hook0 API (https://app.hook0.com/api/v1/).
Hook0 is hosted on Clever Cloud Platform. Clever Cloud data centers feature a layered security model, including extensive safeguards such as:
Hook0 employees do not have physical access to Clever Cloud data centers, servers, network equipment, or storage.
Hook0 is the assigned administrator of its infrastructure on Clever Cloud, and only designated authorized Hook0 operations team members to have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Clever Cloud undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Every part of the Hook0 service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Hook0 keeps hourly encrypted backups of data in multiple regions on Clever Cloud. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
In the event of a region-wide outage, Hook0 will bring up a duplicate environment in a different Clever Cloud region. The Hook0 operations team has extensive experience performing full region migrations.
At Hook0, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities.
Hook0 follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.
All Hook0 product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Hook0's operations team have secure shell (SSH) access to production servers.
Hook0 performs risk assessments throughout the product lifecycle per the standards outlined in HIPAA Security Rule, 45 CFR 164.308.
Hook0 maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. All new employees receive onboarding and systems training, including security policies review.
Hook0 follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events.
Hook0 maintains a live report of operational uptime and issues on our status page. Any known incidents are reported there, as well as on our Twitter feed.