Security

Last updated: July 30, 2018

Hundreds of businesses use Honey to reduce the friction of communicating with their teams and colleagues. These businesses trust Honey to reliably store their data and provide secure access to their company data. At Honey, we respect the privacy of our customers and take significant efforts to protect all of their data.

Features

  • Data encryption in transit and at rest
  • Weekly application and infrastructure vulnerability scans
  • Real-time intrusion detection, asset discovery, and behavioral monitoring
  • Support for SAML 2.0, G-Suite, and two-factor authentication

Best Practices

Incident Response Plan

  • We have implemented a formal procedure for security events and have educated all our staff on our procedure.
  • When security events are detected they are escalated to our security response team who are paged, notified and assembled to rapidly address the event.
  • After a security event is resolved we write up a post-mortem analysis.
  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.

Build Process Automation

  • We have functioning, tested, and required automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
  • We typically deploy code multiple times a week and therefore have extremely high confidence that we can get a security fix out quickly when required.

Vulnerability Detection

Automated scans of Honey’s production and staging infrastructure and application services are conducted a minimum of every 7 days. These scans include audits of system-level packages, changes to server configurations, and application code. All issues that come to our attention through these scans, or other means, are peer reviewed and prioritized based on level of severity. High severity issues are scheduled for immediate remediation and typically land in production within 1-5 business days. All OS level security patches are applied automatically nightly.

Monitoring

We use technologies such as AWS Cloudtrail, VPC Flowlogs, and OSQuery to provide an audit trail of our infrastructure and application. Furthermore, we utilize AlienVault to provide real-time analysis of this audit trail for asset discovery, intrusion detection, and vulnerability assessment.

Additionally, we aggregate all WARN-level and higher log entries from our servers using a third party solution, and raise alerts when any pre-configured thresholds are met. These include monitoring our web servers, application servers, queues, and operating systems.

Finally, we use third party software to monitor all parts of our infrastructure including server response times for all layers of our application (web, search, caching, etc), disk space, memory utilization, application performance, third party service response times, and application generated errors. For errors that may occur within our application code, we also leverage Rollbar to aggregate further information and stack traces which alert our engineers in real-time.

Data

  • All customer data is stored in the United States.
  • Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer’s data.
  • All files uploaded to Honey are stored encrypted at rest using 256 bit encryption.

Data Transfer

  • All data sent to or from Honey is transferred using 256 bit encryption.
  • Our application and API endpoints are TLS (SSL) only and we continually monitor and adjust our security configurations to maintain an "A+" rating on ​SSL Labs'​ tests. This means we only use strong cipher suites, deploy HSTS, and have Perfect Forward Secrecy fully enabled.

Backups and Disaster Recovery

Snapshots and backups (images) of customer data are encrypted and stored on a restricted access private network and are fully redundant to ensure availability. We utilize standard AWS backup procedures as widely as possible, to reduce our burden of specialized procedures for restoration of data. We have tested backup and restoration procedures, which allow recovery from a major disaster. Our operations team are alerted in case of backup failure. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.

Infrastructure

All of our services and data are hosted in the cloud using Amazon Web Services (AWS) facilities in the USA. Honey does not run its own routers, load balancers, DNS servers, or physical servers.

  • All of our infrastructure is spread across 3 AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly.
  • All of our servers are placed within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests from getting to our internal network.
  • Further details about the considerable measures Amazon take in securing their facilities and services can be found here: ​https://aws.amazon.com/compliance/

Access Control

All customer data is considered highly sensitive and protected. Honey restricts the use of administrative access to customer accounts to only authorized and trained employees who need this access for the purpose of providing the Honey services.

Authorized and trained engineers authenticate to our VPN using strong passwords and two-factor authentication before they are granted access to the production environment using passphrase protected certificates. Honey utilizes breach detection / IDS which includes real-time monitoring of configuration and file changes. We do not maintain any backdoors to our production systems.

Trained members of the Honey customer success team have limited access to user data through internal customer support tools restricted to access over our VPN. Customer support team members cannot review user-generated content without an express and revocable prior grant of permission.

Compliance

  • Honey complies with the General Data Protection Regulation (GDPR).