Security Practices

At Hub Planner we take the security of your data very seriously. We are on a constant journey to meet new standards and make sure we are doing our best to keep your data secure. Some of our security practices include:

General

All Hub Planner accounts use SSL-encrypted connections by default—the same level of security used by online banks. You never send or receive sensitive information in plain-text. Additionally, industry-standard physical and remote security is administered at data center facilities. Hub Planner systems and processes adhere to industry best practices in security, including the following:

  • Encrypted inter-server and inter-data center communication.
  • Sensitive data encryption in the databases at REST is encrypted with AES-256
  • Strictly controlled access to servers or customer data.
  • Disks including all backups are encrypted at rest.
  • All communication to and from our service is secured over SSL/TLS.
  • All of our servers are verified and updated frequently for security patches.

Confidentiality

There is very strict access controls when it comes to employee’s or contract personnel (“Hub Planner Personnel”) accessing data (“Customer Data”) that you make available on the Hub Planner service, and we are committed to ensuring that Customer Data is not accessed by Hub Planner Personnel who should not have access to it. In order to run Hub Planner effectively, some Hub Planner Personnel with permissions have access to the systems you are having with Hub Planner, which allows them to effectively help Customers tackle issues, diagnose problems a Customer may be having with their Customer Data on the Hub Planner Service. This process is usually on a technical level, and Hub Planner Personnel are prohibited from using access to view Customer Data. Additionally we may ask Customer for permission in writing via a support ticket to provide full transparency of the assistance you are receiving.

All decisions when it comes to permissions and access to Customer Data are based on a need to know basis and if Hub Planner Personnel require this access to complete their job effectively. Approved Hub Planner Personnel, only with highest role based rights are able to access Customer Data. Access levels and permissions are regularly reviewed to ensure the correct infrastructure permissions are adhered to in the case of employee termination where policies are followed to revoke any access including ssh keys and usernames and passwords.

The most common use cases for troubleshooting Customer issues are:

  • Troubleshooting Customer issue on database level – If there is a case where we need to access Customer Data in order to help with a specific issue which is directly related to Customer Data, we will first seek permission from Customer account owner to access the Customer Data. Only Hub Planner Personnel with permissions to access data will be able to verify any issue.
  • Troubleshooting Customer Issue on User Interface level – If there is a case where we need to access a Customer account in order to help with a specific issue visually they are experiencing in the graphical user interface, which is directly related to a Customer account, we will first seek permission from the Customer if we can have access to their account to troubleshoot. Only Hub Planner Personnel with permissions to access data will be able to verify any issue. Access is temporary and is immediately revoked once the issue is resolved.

Internal Training

Employees receive privacy and security training during on-boarding as well as on an ongoing basis.

Infrastructure Compliance

Hub Planner uses Amazon AWS for all of it’s infrastructure hosting requirements, with the data centers located in the EU. Amazon AWS maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, TISAX and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website.

Billing & PCI Compliance

Hub Planner is not currently a PCI-certified Service Provider and therefore we use BrainTree Payments to process all credit / debit card payments for Customers. As a Merchant we have completed the Payment Card Industry Data Security Standard’s SAQ, allowing us to use a third party to process your credit card information securely.

Deletion of Customer Data

As a Customer you have the option to delete your data at any point in the system. Once an entity is deleted from your interface, it will enter a queue to be permanently deleted within 30 days, including all backups. We also have an automated deletion which applies if you decide to delete your subscription, close your account, not use your trial after expiry, all data will be deleted, including backups within 30 days.

Security – Two-Factor Authentication

In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

Disaster Recovery

Customer Data is stored redundantly in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up at regular increments.

Production Releases

New features, functionality, and design changes to the Hub Planner platform go through a security review process facilitated by the technical team. In addition, our code is tested in different staging and local environments that replicate production, and manually code reviewed by tech personnel prior to being deployed to production.