Security at Humanitec

To say security is important to us at Humanitec is a huge understatement. It is at the heart of everything we do, driving not only how we build and operate our platform but also shaping our daily activities and decisions as a company. Security is not just a priority for us—it is a fundamental aspect of how we conduct our business and deliver value to our users.

We understand that trust in our platform relies heavily on how well we protect your data and secure our services. To ensure we meet the highest standards, we have established a comprehensive security program. This includes collaborating with external auditors and data protection specialists, as well as implementing robust procedures to regularly evaluate risks, threats, and vulnerabilities. Our management process is designed to constantly address and adapt to evolving security needs, ensuring that our users’ data is safe at all times.

To maintain objectivity and transparency, we rely on third-party certifications and regular audits performed by external organizations. This ensures that our security practices are independently validated and meet globally recognized standards.

Our Senior Management team leads the charge in ensuring that security is embedded in every part of our organization. They are responsible for driving a culture of security awareness and ensuring that all levels of our business are equipped with the necessary knowledge and capabilities. By fostering collaboration across teams and departments, we take a holistic approach to security, guaranteeing the confidentiality, availability, and integrity of your data.

This page outlines the policies and security measures we have in place to protect the content and data hosted on our platform from unauthorized access. We are committed to providing you with transparent and comprehensive information about how we manage security.

How we protect your data

Our infrastructure runs on the Google Cloud Platform (GCP) and Amazon Web Service (AWS), both delivering infrastructure as a service with prime security capabilities.

Humanitec is SOC 2 Type II Certified

We have achieved SOC 2 Type II certification, reflecting our adherence to rigorous standards for security, availability, processing integrity, confidentiality, and privacy.

To request the full report please contact security@humanitec.com.

‍GDPR Compliance with Vanta

Humanitec ensures full compliance with the General Data Protection Regulation (GDPR) through Vanta's automated solutions. This underscores our dedication to data protection and privacy for users in the European Union.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets and GCP Cloud SQL instances. AES-256 encryption is used by default with the platform’s encryption services, ensuring your data remains safe and preserved.

Encryption in transit

All communication of your data between you, your services, and Humanitec traverses the Internet via encrypted HTTPS traffic using TLS v1.2. Data is also encrypted during transit between Humanitec and our Content Delivery Networks (CDNs). This ensures data integrity and confidentiality during communication.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by independent external parties. Any vulnerabilities found are remediated within defined internal SLAs.

Backups

All our data, including S3 buckets and database daily backups, is replicated and encrypted at rest using AES-256 encryption with keys provided by HashiCorp Vault.

Access to data

Access to your data is highly restricted. Authorized support engineers and appropriate staff can access your data only after obtaining explicit permission, and all actions are logged and monitored.

Physical security

As a cloud-native service, Humanitec does not operate its own data centers. Physical security for servers is managed by AWS and GCP certifications. Additionally, office physical security is governed by our internal security program.

Threat detection

We continuously monitor activities using Datadog for anomaly detection and early irregularity detection.

Secure headers

To protect users from attacks, we leverage browser protections such as HTTP Strict Transport Security (HSTS).

Data retention policy

User data is retained as long as required. Our Data Retention and Data Classification Policies govern how data is managed for deletion and retirement.

How we keep our service reliable

Auto-scalable Kubernetes

To provide a reliable and seamless experience, we run all our software components in containers orchestrated by Kubernetes. This setup allows us to automatically scale resources up or down based on system demands, ensuring that our services can handle high volumes of traffic without interruptions. By using Kubernetes, we ensure that our infrastructure remains agile and responsive to your needs, regardless of the workload.

Additionally, our platform includes robust tracking and version control mechanisms. These features allow us to roll out updates and new features with minimal disruption to our services. Our microservice architecture and technology stack have been designed from the ground up to prioritize high availability, offering you a dependable platform for your operations.

Disaster recovery and business continuity

We take a proactive approach to ensuring our platform remains operational, even in the face of unexpected events. Our disaster recovery strategy is built on a foundation of redundancy and resilience. By utilizing database replication architectures, we ensure that your data is always available and accessible, even in the event of a failure.

We create frequent encrypted backups of all critical data and store them both onsite at the data center and in remote locations. This ensures that we can quickly recover and restore services in the event of an outage. Redundant components, such as multiple servers providing the same services, further bolster our ability to withstand failures.

Our hosting providers, GCP and AWS, add another layer of protection, with robust physical security and safeguards against environmental hazards. These measures allow us to maintain business continuity and deliver uninterrupted services, even under challenging circumstances.

How we keep our code secure

Vulnerability management

Code security is a continuous process at Humanitec, one that begins with identifying and addressing potential vulnerabilities. We use an internal vulnerability management tool to track and prioritize issues based on their severity and potential impact. Each vulnerability is assigned an owner, ensuring accountability and clear timelines for resolution.

Our internal Service Level Agreements (SLAs) define deadlines for fixing vulnerabilities, with progress monitored through dedicated tools. In cases where vulnerabilities require deeper analysis, we conduct post-mortems to identify root causes and implement lessons learned. This approach not only resolves current issues but also helps us enhance our processes and prevent future occurrences.

Code peer review

At Humanitec, collaboration is a cornerstone of our development process. Code peer reviews ensure that every line of code is scrutinized by multiple engineers before it is integrated into our system. This rigorous process leverages GitHub’s pull request mechanism, where team members or engineers from other departments review commits. Only after all reviewers approve a pull request does the code proceed in the development lifecycle, ensuring quality and reducing the likelihood of vulnerabilities.

Quality Assurance (QA)

Testing is an integral part of our development process, and we take it seriously. Before new code is deployed to production, it undergoes rigorous testing in a staging environment. This environment mirrors our production infrastructure but operates on a smaller scale and does not use real user data. By isolating QA processes in a separate GCP cluster, we ensure that testing does not interfere with live operations.

Secure Software Development Lifecycle

Security is embedded in every stage of our software development lifecycle. We adopt a “security by design” philosophy, which means security considerations are integral to product and architecture design. From planning and implementation to testing and deployment, we take steps to minimize risks and address potential vulnerabilities proactively.

Our engineers are held to a high standard of accountability for the code they produce. This culture of responsibility ensures that quality and security are always top priorities, leading to robust, secure, and reliable software.

How we secure our business

Security monitoring and Incident Management

We continuously monitor our systems for signs of potential security incidents. This includes tracking indicators and events that could signal vulnerabilities or breaches. Our event-alerting tools are configured to escalate issues directly to our 24/7 incident response team, ensuring swift action whenever necessary.

In addition to monitoring, we have a well-documented incident response plan. This plan outlines the steps for notifying stakeholders, escalating issues, managing incidents, and reporting outcomes. It ensures that all incidents are handled efficiently and with minimal disruption to our services.

Security awareness program

Security is not just the responsibility of a single team—it’s a company-wide commitment. Every employee and contractor at Humanitec is required to adhere to our security and data privacy policies. These policies are reinforced through training programs, ensuring that everyone understands their role in maintaining security. Our standard contracts also include confidentiality clauses, emphasizing the importance of protecting sensitive information.

Vendor security management

We work with numerous vendors and third-party providers, each of whom is carefully assessed for security risks. Our Vendor Security Assessment Questionnaire (VSAQ) is based on industry standards from the Vendor Security Alliance (VSA) and Cloud Security Alliance (CSA). Vendors who access confidential information must comply with strict security and data privacy requirements, ensuring that our standards are upheld across all partnerships.

Multi-factor authentication

To enhance security, we enforce multi-factor authentication (MFA) across all critical systems. MFA combines something you know (like a password) with something you have (like a code from an authentication app). This additional layer of protection significantly reduces the risk of unauthorized access. Employees, contractors, and customers are all encouraged to use MFA for added security.

How you can protect your data

Roles and permissions

We strongly advocate for the principle of “least privilege” when it comes to managing access to your data. By assigning roles and permissions, you can control who has access to what, minimizing the risk of unauthorized actions. This approach not only protects sensitive information but also reduces the potential damage in the event of a security breach.

HTTPS

While Humanitec enforces HTTPS for all communications between our platform and your users, we recommend that you also enforce HTTPS for your own websites and applications. This ensures that all data exchanged between our services and your users’ devices is encrypted, maintaining integrity and confidentiality.

In case of a security incident

Despite our best efforts, incidents can happen. At Humanitec, we are prepared to respond swiftly and effectively. Our incident management process is designed to minimize impact, restore services, and address the root cause.

If personal data is involved, we comply with GDPR requirements, including notifying affected customers and relevant authorities without undue delay. Our security team is always available to provide assistance and can be contacted at security@humanitec.com.