Data Security & Privacy FAQ

HUMAN takes commercially reasonable and appropriate measures to protect information against unauthorized access, alteration, disclosure or destruction of data. HUMAN regularly consults with experts and legal counsel to ensure we understand and comply with our compliance obligations and the latest regulations.

HUMAN Security publishes and strictly adheres to a privacy policy to protect all parties utilizing our services. The Privacy Policy details the information we may collect and how it is utilized.

Yes. HUMAN Security internal standards meet or exceed GDPR requirements as it relates to general data security. 

HUMAN Security has always been committed to data privacy and integrity. For any GDPR-related inquiries, please see our Privacy Policy or reach out to privacy@humansecurity.com.

Beyond information that is securely kept for billing purposes, and user passwords to allow access to the management console, HUMAN stores the following customer data:

• IP Address
• Connection metadata (such as request headers, browser identification strings, TLS information)
• Mouse interaction events

In addition, Account Defender and Credential Intelligence may store user identifiers. 

Upon request, stored customer data is deleted or rendered unattributable after the services agreement is terminated.

HUMAN does not resell or transmit user data, other than as required to perform our services as described in our agreements with customers and as described with our subprocessors. The HUMAN Security privacy policy outlines the conditions under which we will share your information, such as in response to a valid law enforcement request.

HUMAN Security follows the 7 principles of Privacy by Design in our service offerings.

1. Our leaders communicate clear values to the team, as well as endorse privacy controls in policies and standards that all employees must accept.
2. Privacy is on by default at HUMAN Security - we minimize the collection of identifying information.
3. Our solution offerings incorporate privacy options, such as dedicated infrastructure for Mediaguard.
4. Our business model is built on capturing network effects – we offer a positive-sum solution that succeeds through the maintenance of our customers’ privacy.
5. We integrate security throughout our solution life cycle.
6. We are clear about our privacy commitments, and we participate in external attestation frameworks to demonstrate our commitment.
7. We comply with laws, rules, and regulations around data privacy, and including honoring data removal requests.

Privacy-related inquiries may be sent to privacy@humansecurity.com.

Yes. The HUMAN Code of Conduct strives to foster inclusive, collaborative and safe working conditions for all HUMAN Workforce. As such, HUMAN is committed to providing a friendly, safe and welcoming environment for all Workforce, regardless of gender, sexual orientation, ability, ethnicity, socioeconomic status, and religion (or lack thereof).

Yes, HUMAN maintains insurance to cover numerous types of risk including commercial general liability.

HUMAN is certified to be SOC 2 Type 2 and ISO 27001 compliant. HUMAN’s SOC 3 report is available here. Customers may request a copy of the current SOC2 Type 2 report and ISO 27001 certificate through their account manager. HUMAN is also compliant with PCI standards.

Any customer data stored by HUMAN is done in accordance with its Data Retention Policy and is located in data centers secured by AWS, GCP and Equinix. These servers are housed separately from HUMAN’s corporate offices and not interconnected.

Yes. We can provide a self-attestation form. Contact your sales or customer success team for more information.

Our systems technically do not collect or store payment information; we are not a payment processor. Under the PCI DSS framework, since HUMAN Security is not a payment processor, it is not permissible for PCI participants to send us payment card information.

HUMAN implements a multi-layered approach to protecting customer information, including but not limited to, the use of technical safeguards, dedicated staff and use of cryptographic methods. HUMAN has a dedicated product security team responsible for the identification of potential vulnerabilities and assists engineering with shipping secure code.

HUMANs information security program includes measures such as:

• Documented policies, standards, and procedures
• Full-time cybersecurity management and staff and a 24x7 SOC
• Dedicated incident response team and a best of breed security tools including EDR, SIEM, SOAR technologies
• Cyber-security training for our employees, including staff and engineers
• Encryption for data at rest using strong cryptography
• Encryption for data in transit across trust boundaries using TLS
• Restricting access to employee and customer-facing systems according to the principle of least privilege
• Monitoring cyber security controls and operations across our portfolio and responding to cyber-security alerts
• Cyber-security controls integrated throughout the system development life cycle (SDLC) for our online systems
• Annual penetration tests, and additional penetration tests when we make major changes to our systems (including when we change security controls)
• Bug-bounty programs and accept vulnerability reports from external parties

HUMAN uses subprocessors, including cloud providers as well as services providers to conduct our business. We maintain written data privacy agreements with our sub-processors and require and review SOC2 compliance attestation reports annually.

The Chief Information Security Officer, Gavin Reid, is responsible for cyber-security at HUMAN. Gavin reports to the CEO, and maintains a dedicated Information Security team as well as a cross-functional Security Committee comprising the Information Security team along with executives from other functional areas.

HUMAN supports SAML integration (e.g., Okta, AzureAD, or other) on our customer interfaces.

Customers may implement MFA by integrating an SSO provider that provides MFA. Internally we implement MFA for privileged access as well as many core internal systems, such as email.

Certain assets, such as data collectors may use dedicated infrastructure, however overall we do not currently offer dedicated infrastructure for our customers; data isolation is provided logically.

All security related inquiries regarding vulnerabilities or incidents can be reported to csirt@humansecurity.com.