April 13, 2021 11:00 PM CDT | 06:00 PM CEST: Next DevOps webinar to advance your expertiseRegister now

Security at Humanitec

To say security is important to us at Humanitec is a huge understatement. Security is a top priority at Humanitec, underpinning all of our work and our daily activities. 

In order to guarantee optimal security we work with external auditors and data-protection specialists on our comprehensive security program. We’ve established procedures to regularly evaluate security risks, threats and vulnerabilities for our users. This system also enforces a management process  to constantly manage risk and meet security needs. To ensure neutrality around these processes and standards, certifications and repetitive screenings are performed by external auditors. 

Our Senior Management team is accountable for security and ensures that security capabilities and competence exist in all levels of our business. As a whole, we follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by Humanitec to secure user content and data hosted on our platform from unauthorized access.

How we protect your data

Our infrastructure runs on the Google Cloud Platform and on Amazon Web Service (AWS), both delivering infrastructure as a service with prime security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your data and allowing the delivery of your data to your users are also certified for compliance with the ISO 27001 standard.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets and GCP cloudsql instances. AES256 encryption is used by default using the services encryption services. This ensures the data is preserved and safe from prying eyes and manipulation.

Encryption in transit

All communication of your data between you, your services and Humanitec, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. Data is also encrypted during transit between Humanitec and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerabilities found are fixed based on our specifications in an internal SLA.

Backups

All our data, including S3 buckets and database daily backups, is replicated thanks to the use of GCP. Backup data is encrypted at rest using AES-256 encryption with keys provided by Hashicorp Vault.

Access to data

Access to your data is extremely restricted. We have hand-picked and trained support engineers and appropriate staff who after your explicit permission, can help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored. Humanitec’s feature set covers role based access control which allows the org admin to set granular permissions. 

Physical security

Did we mention we are a cloud native service? We do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications as well as GCP security certifications. . Physical security at our offices is also governed by our security program.

Threat detection

We are using datadog to constantly monitor all activities and calls between our services and to other services. Anomaly detection helps us to detect irregularities early on and eliminate them. 

Secure headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection.

Data retention policy

Your user-data lives in our servers for as long as you need. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.

How we keep our service reliable

Auto-scalable Kubernetes

All our software components run in containers orchestrated by Kubernetes. The clusters are automatically resized when the load on the system exceeds a pre-defined threshold. Using the Humanitec platform, we ensure auditable tracking of any changes to our services allowing us to seamlessly roll between versions.  Our platform has been designed from scratch to support high volumes of web traffic and this technology stack, alongside a microservice architecture, is the fundamental piece that caters to our high availability needs.

Disaster recovery and business continuity

Humanitec utilizes database replication architectures to ensure redundancy and uptime. Encrypted backups are made frequently and stored both onsite at the data center and copied to a remote storage location. Each key service layer has redundant components, such as multiple servers that provide the same service and data, to ensure any failures do not impact the rest of the system. The data centers are also equipped with controls to enforce physical security and protection against environmental hazards

How we keep our code secure

Vulnerability management

All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using a scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.

Code peer review

Our development process is based on GitHub’s pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different GCP cluster, entirely separate from production. 

Secure Software Development Lifecycle

Security is part of our product organization and influences the product roadmap and specific features. We implement a philosophy of “security by design” where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.

How we secure our business

Security monitoring and Incident Management

Humanitec continually looks out for any indicators that could potentially lead to security incidents. To supplement this, any event-alerting tools we use also escalate into rotations for Humanitec’s 24x7 incident response team. We also maintain an incident response plan that details ways to address an incident, including the processes of notification, escalation, managing and reporting as a result of an incident.

Security awareness program

All Humanitec employees and contracted third-parties are required to comply with Humanitec policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses.

Security policies

Humanitec has multiple internal policies directly pertaining to or containing details about data privacy, security, and acceptable use; the most widely distributed and available of which is the employee handbook that includes documentation on security, data privacy, and related measures. In addition, Humanitec also has a public-facing privacy policy.

Vendor security management

Every technology, SaaS or tool is assessed to ensure a good understanding of the risks involved. Our Vendor Security Assessment Questionnaire, or VSAQ, is based in the VSA - Vendor Security Alliance - and CSA - Cloud Security Alliance - standards. Confidentiality and non-disclosure agreements are required when sharing any sort of confidential information that could be sensitive, proprietary and/or personal in nature, between Humanitec and an external third-party. Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.

Multi-factor authentication

The use of multi-factor authentication (MFA) is enforced throughout the main services Humanitec relies on. MFA is also encouraged by Humanitec to both its employees and customers. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Google Authenticator). MFA is also mandatorily enforced for GCP and GitHub access.

How you can protect your data

Roles and permissions

Humanitec strongly encourages the use of roles and permissions in order to provide different users with different levels of access rights to content, features, and functionality. This is in line with “least privilege” and “need to know” security principles, which adds another safeguarding layer to prevent unauthorized access and limit damage in the event of a user’s credentials being compromised.

HTTPS

While all activities relevant to content and data traversing the Internet are conducted with HTTPS enforced on Humanitec’s side, we absolutely recommend that customers and users also enforce HTTPS so that content and data integrity is maintained and free from manipulation as it is served from our service to your users’ machines. The use of HTTPS websites also safeguards your important data and credentials away from the view of unauthorized third-parties

In case of a security incident

Incidents can happen to anyone — we are ready for such an event when it happens. We manage security incidents via a documented process, which includes notification of and cooperation with customers, data protection authorities, and law enforcement. Humanitec will notify affected customers without undue delay following incident detection, where we share a preliminary assessment of the incident and are open to cooperation. We follow article 33 of the GDPR when personal data is involved, and alert the supervisory authority regarding breach of personal data.

How to report vulnerabilities or contact Humanitecs privacy and security officers 

Our security team can be reached by mailing security@humanitec.com.Security being just important to us is a huge understatement. Security is a top priority at Humanitec and we live it in our day-to-day activities.

In order to optimally guarantee optimal security we are working with external auditors and data-protection specialists on our comprehensive security program. Following this standard we’ve established procedures to regularly evaluate risks, threats and vulnerabilities to information security for our users. This system also enforces a management process  to constantly manage risk and meet security needs. To ensure neutrality around these processes and standards certifications and repetitive screenings are performed by external auditors. 

Our Senior Management team is accountable for security and ensures that security capabilities and competence exist in all levels of our business. As a whole, we follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by Humanitec to secure user content and data hosted on our platform from unauthorized access.

How we protect your data

Our infrastructure runs on the Google Cloud Platform as well as on Amazon Web Service (AWS), both delivering infrastructure as a service with prime security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your data and allowing it to be delivered to your users are also certified for compliance with the ISO 27001 standard.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets and GCP cloudsql instances. AES256 encryption is used by default using the services encryption services. This ensures the data is preserved and safe from prying eyes and manipulation.

Encryption in transit

All communication between you, your services and Humanitec, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between Humanitec and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerabilities found are fixed based on our specifications in an internal SLA.

Backups

All our data, including S3 buckets and database daily backups, is replicated thanks to the use of GCP. Backup data is encrypted at rest using AES-256 encryption with keys provided by Hashicorp Vault.

Access to data

Access to your data is extremely restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, are able to help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored. Humanitec’s feature set covers role based access control which allows the org admin to set granular permissions. 

Physical security

Did we mention we are a cloud native service? We do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications as well as GCP security certifications. . Physical security at our offices is also governed by our security program.

Threat detection

We are using datadog to constantly monitor all activities and calls between our services and to other services. Anomaly detection helps us to detect irregularities early on and eliminate them. 

Secure headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection.

Data retention policy

Your user-data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.

How we keep our service reliable

Auto-scalable Kubernetes

All our software components run in containers orchestrated by Kubernetes. The clusters are automatically resized when the load on the system exceeds than the pre-defined threshold. Using the Humanitec platform we ensure auditable tracking of any changes to our services allowing us to seamlessly roll between versions.  Our platform has been designed from scratch to support high volumes of web traffic and this technology stack, alongside a microservice architecture, is the fundamental piece that caters to our high availability needs.

Disaster recovery and business continuity

Humanitec utilizes database replication architectures to ensure redundancy and uptime. Encrypted backups are made frequently and stored both onsite at the data center and copied to a remote storage location. Each key service layer has redundant components, such as multiple servers that provide the same service and data, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards

How we keep our code secure

Vulnerability management

All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using a scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.

Code peer review

Our development process is based on GitHub’s pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different GCP cluster, entirely separate from production. 

Secure SDLC

Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.

How we secure our business

Security monitoring and Incident Management

Humanitec continually looks out for any indicators that could potentially lead to incidents. To supplement this, any event-alerting tools we use also escalate into rotations for Humanitec’s 24x7 incident response team. We also maintain an incident response plan that details ways to address an incident, including the processes of notification, escalation, managing and reporting as a result of an incident.

Security awareness program

All Humanitec employees and contracted third-parties are required to comply with Humanitec policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses.

Security policies

Humanitec has multiple internal policies directly pertaining to or containing details about data privacy, security, and acceptable use; the most widely distributed and available of which is the employee handbook that includes documentation on security, data privacy, and related measures. In addition, Humanitec also has a public-facing privacy policy.

Vendor security management

Every technology, SaaS or tool is assessed to ensure a good understanding of the risks involved. Our Vendor Security Assessment Questionnaire, or VSAQ, is based in the VSA - Vendor Security Alliance - and CSA - Cloud Security Alliance - standards. Confidentiality and non-disclosure agreements are required when sharing any sort of confidential information that could be sensitive, proprietary and/or personal in nature, between Humanitec and an external third-party. Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.

Multi-factor authentication

The use of multi-factor authentication (MFA) is enforced throughout the main services Humanitec relies on. MFA is also encouraged by Humanitec to both its employees and customers. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Google Authenticator). MFA is also mandatorily enforced for GCP and GitHub access.

How you can protect your data

Roles and permissions

Humanitec highly encourages the use of roles and permissions in order to provide different users with different levels of access rights to content, features, and functionality. This is in line with “least privilege” and “need to know” security principles, which adds another safeguarding layer to prevent unauthorized access and limit damage in the event of a user’s credentials being compromised.

HTTPS

While all activities relevant to content and data traversing the Internet are conducted with HTTPS enforced on Humanitec’s side, we absolutely recommend that customers and users also enforce HTTPS so that content and data integrity is maintained and free from manipulation as it is served from our service to your users’ machines. The use of HTTPS websites also safeguards your important data and credentials away from the view of unauthorized third-parties

In case of a security incident

Incidents can happen to anyone — we are ready for such an event when it happens. We manage security incidents via a documented process, which includes notification of and cooperation with customers, data protection authorities, and law enforcement. Humanitec will notify affected customers without undue delay following incident detection, where we share a preliminary assessment of the incident and are open to cooperation. We follow article 33 of the GDPR when personal data is involved, and alert the supervisory authority regarding breach of personal data.

How to report vulnerabilities or contact Humanitec's privacy and security officers 

Our security team can be reached by mailing security@humanitec.com.