Hubvisor Technical and Organizational Security Measures

Last Updated: January 1st, 2025

1. Privacy by Design

Hubvisor incorporates Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually.

2. Information Security Program

Hubvisor maintains organizational, management and dedicated staff responsible for the development, implementation, and maintenance of Hubvisor’s information security program.

3. Security Policies

Hubvisor maintains information security policies and makes sure that policies and measures are regularly reviewed and amend such policies as Hubvisor deems reasonable to maintain protection of Services and data processed therein.

4. Risk Management

Hubvisor assesses risks related to processing of personal data and creates an action plan to mitigate identified risks.

Hubvisor maintains risk assessment procedures for the purposes of such periodic review and assessment of risks to the Hubvisor organization, monitoring and maintaining compliance with Hubvisor policies and procedures, and reporting the condition of its information security and compliance to senior internal management.

5. Physical Security

Hubvisor’s hosting providers maintains physical and environmental security of Hubvisor’s infrastructure containing customer confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Hubvisor’s hosting providers facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

6. System and Network Security

Network Security. Hubvisor maintains network security controls such as firewalls, remote access control via virtual private networks or remote access solutions, network segmentation, and detection of unauthorized or malicious network activity via security logging and monitoring, designed to protect systems from intrusion and limit the scope of any successful attack.

Data Security. Hubvisor maintains data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.

Encryption. Hubvisor employs encrypted and authenticated remote connectivity to Hubvisor computing environments and customer systems. Hubvisor maintains a cryptographic standard that aligns with recommendations from industry groups, government publications and other reputable standards groups. This standard is periodically reviewed, and selected technologies and ciphers may be updated in accordance with the assessed risk and market acceptance of new standards.

In-Transit Encryption. All network traffic flowing in and out of the Services data centers, including customer data, is encrypted in transit.

At-Rest Encryption. Customer data created by the customer, is encrypted at rest with 256-bit AES encryption.

7. User Access Management

Hubvisor maintains logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

Password Management. Hubvisor maintains password controls designed to manage and control password strength, expiration, and usage including prohibiting users from sharing passwords. Hubvisor shall ensure password hardening standards are in place that align with accepted industry security frameworks to ensure sufficient controls.

8. Auditing and Logging

Hubvisor maintains system audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

Hubvisor creates, protects and retains such log records to the extent needed to enable monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity, including successful and unsuccessful account logon events, account management, events, security events, object access, policy change, privileged functions, administrator account creation/deletion and other administrator activity, data deletions, data access and changes, firewall logs, and permission changes.

9. Change Management

Hubvisor maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Hubvisor technology and information assets.

10. Threat and Vulnerability Management

Hubvisor maintains measures meant to regularly identify, manage, assess, mitigate and/or remediate vulnerabilities within the Hubvisor computing environments.

Measures include:

Patch management

Threat notification advisories

Vulnerability scanning (all internal systems)

11. Security Incidents

Hubvisor maintains incident response procedures designed to allow Hubvisor to investigate, respond to, mitigate, and notify of events related to Hubvisor technology and information assets.

12. Business Continuity Plans

Hubvisor maintains defined business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and recovery from foreseeable emergency situations or disasters, consistent with industry standard practices.

13. Vendor Management

Hubvisor may engage and use vendors, acting as subprocessors, that access, store, or process certain customer data.

Hubvisor maintains a formal vendor management program, including vendor security reviews for critical vendors, to ensure compliance with Hubvisor’s information security policies.